From cd464d4f8407e717c24991f3a089852de58a4ace Mon Sep 17 00:00:00 2001 From: Kernel Build Daemon Date: Nov 05 2022 07:16:49 +0000 Subject: Merge branch 'SLE15-SP4' into SLE15-SP4-AZURE --- diff --git a/blacklist.conf b/blacklist.conf index 0253043..1823434 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -439,4 +439,5 @@ fdabc3f10e774ddc86ba715b9bc0c861d7e0834c # ASoC:wm8997: reverted in below 7d4e966f4cd73ff69bf06934e8e14a33fb7ef447 # ASoC:wm5110: reverting the above 96e4abbd35adb5582573c463ccc554a644ac2434 # ASoC:wm5102: reverted in below de71d7567e358effd06dfc3e2a154b25f1331c10 # ASoC:wm5102: reverting the above - +6f81fdded0d024c7d4084d434764f30bca1cd6b1 # 8250_mtk: reverted in below +f0136f65285bcfb7e8f90d1013723076a35acd51 # 8250_mtk: reverting the above diff --git a/patches.suse/ARM-dts-imx6qdl-gw59-10-13-fix-user-pushbutton-GPIO-.patch b/patches.suse/ARM-dts-imx6qdl-gw59-10-13-fix-user-pushbutton-GPIO-.patch new file mode 100644 index 0000000..92bbd78 --- /dev/null +++ b/patches.suse/ARM-dts-imx6qdl-gw59-10-13-fix-user-pushbutton-GPIO-.patch @@ -0,0 +1,50 @@ +From bb5ad73941dc3f4e3c2241348f385da6501d50ea Mon Sep 17 00:00:00 2001 +From: Tim Harvey +Date: Thu, 29 Sep 2022 12:52:22 -0700 +Subject: [PATCH] ARM: dts: imx6qdl-gw59{10,13}: fix user pushbutton GPIO offset +Git-commit: bb5ad73941dc3f4e3c2241348f385da6501d50ea +Patch-mainline: v6.1-rc4 +References: git-fixes + +The GW5910 and GW5913 have a user pushbutton that is tied to the +Gateworks System Controller GPIO offset 2. Fix the invalid offset of 0. + +Fixes: 64bf0a0af18d ("ARM: dts: imx6qdl-gw: add Gateworks System Controller support") +Signed-off-by: Tim Harvey +Signed-off-by: Shawn Guo +Acked-by: Takashi Iwai + +--- + arch/arm/boot/dts/imx6qdl-gw5910.dtsi | 2 +- + arch/arm/boot/dts/imx6qdl-gw5913.dtsi | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/imx6qdl-gw5910.dtsi b/arch/arm/boot/dts/imx6qdl-gw5910.dtsi +index 68e5ab2e27e2..6bb4855d13ce 100644 +--- a/arch/arm/boot/dts/imx6qdl-gw5910.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-gw5910.dtsi +@@ -29,7 +29,7 @@ gpio-keys { + + user-pb { + label = "user_pb"; +- gpios = <&gsc_gpio 0 GPIO_ACTIVE_LOW>; ++ gpios = <&gsc_gpio 2 GPIO_ACTIVE_LOW>; + linux,code = ; + }; + +diff --git a/arch/arm/boot/dts/imx6qdl-gw5913.dtsi b/arch/arm/boot/dts/imx6qdl-gw5913.dtsi +index 8e23cec7149e..696427b487f0 100644 +--- a/arch/arm/boot/dts/imx6qdl-gw5913.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-gw5913.dtsi +@@ -26,7 +26,7 @@ gpio-keys { + + user-pb { + label = "user_pb"; +- gpios = <&gsc_gpio 0 GPIO_ACTIVE_LOW>; ++ gpios = <&gsc_gpio 2 GPIO_ACTIVE_LOW>; + linux,code = ; + }; + +-- +2.35.3 + diff --git a/patches.suse/Bluetooth-L2CAP-Fix-memory-leak-in-vhci_write.patch b/patches.suse/Bluetooth-L2CAP-Fix-memory-leak-in-vhci_write.patch index 616e3c4..325021f 100644 --- a/patches.suse/Bluetooth-L2CAP-Fix-memory-leak-in-vhci_write.patch +++ b/patches.suse/Bluetooth-L2CAP-Fix-memory-leak-in-vhci_write.patch @@ -1,10 +1,9 @@ -From 97097c85c088e11651146da32a4e1cdb9dfa6193 Mon Sep 17 00:00:00 2001 +From 7c9524d929648935bac2bbb4c20437df8f9c3f42 Mon Sep 17 00:00:00 2001 From: Hawkins Jiawei Date: Tue, 18 Oct 2022 10:18:51 +0800 Subject: [PATCH] Bluetooth: L2CAP: Fix memory leak in vhci_write -Git-commit: 97097c85c088e11651146da32a4e1cdb9dfa6193 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git -Patch-mainline: Queued in subsystem maintainer repo +Git-commit: 7c9524d929648935bac2bbb4c20437df8f9c3f42 +Patch-mainline: v6.1-rc4 References: CVE-2022-3619 bsc#1204569 Syzkaller reports a memory leak as follows: diff --git a/patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch b/patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch new file mode 100644 index 0000000..a94be9d --- /dev/null +++ b/patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch @@ -0,0 +1,175 @@ +From 3aff8aaca4e36dc8b17eaa011684881a80238966 Mon Sep 17 00:00:00 2001 +From: Maxim Mikityanskiy +Date: Wed, 5 Oct 2022 00:27:18 +0300 +Subject: [PATCH] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu +Git-commit: 3aff8aaca4e36dc8b17eaa011684881a80238966 +Patch-mainline: v6.1-rc4 +References: git-fixes + +Fix the race condition between the following two flows that run in +Parallel: + +1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) -> + __sock_queue_rcv_skb. + +2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram. + +An SKB can be queued by the first flow and immediately dequeued and +freed by the second flow, therefore the callers of l2cap_reassemble_sdu +can't use the SKB after that function returns. However, some places +continue accessing struct l2cap_ctrl that resides in the SKB's CB for a +short time after l2cap_reassemble_sdu returns, leading to a +use-after-free condition (the stack trace is below, line numbers for +kernel 5.19.8). + +Fix it by keeping a local copy of struct l2cap_ctrl. + +Bug: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth +Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169 + +Workqueue: hci0 hci_rx_work [bluetooth] +Call Trace: + + dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) + print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429) + ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) + ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth + ret_from_fork (arch/x86/entry/entry_64.S:306) + + +Allocated by task 43169: + kasan_save_stack (mm/kasan/common.c:39) + __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) + kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293) + __alloc_skb (net/core/skbuff.c:414) + l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth + l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth + hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth + process_one_work (kernel/workqueue.c:2289) + worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437) + kthread (kernel/kthread.c:376) + ret_from_fork (arch/x86/entry/entry_64.S:306) + +Freed by task 27920: + kasan_save_stack (mm/kasan/common.c:39) + kasan_set_track (mm/kasan/common.c:45) + kasan_set_free_info (mm/kasan/generic.c:372) + ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328) + slab_free_freelist_hook (mm/slub.c:1780) + kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553) + skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323) + bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth + l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth + sock_read_iter (net/socket.c:1087) + new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401) + vfs_read (fs/read_write.c:482) + ksys_read (fs/read_write.c:620) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + +Link: https://lore.kernel.org/linux-bluetooth/CAKErNvoqga1WcmoR3-0875esY6TVWFQDandbVZncSiuGPBQXLA@mail.gmail.com/T/#u +Fixes: d2a7ac5d5d3a ("Bluetooth: Add the ERTM receive state machine") +Fixes: 4b51dae96731 ("Bluetooth: Add streaming mode receive and incoming packet classifier") +Signed-off-by: Maxim Mikityanskiy +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + net/bluetooth/l2cap_core.c | 48 ++++++++++++++++++++++++++++++++------ + 1 file changed, 41 insertions(+), 7 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 1f34b82ca0ec..2283871d3f01 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6885,6 +6885,7 @@ static int l2cap_rx_state_recv(struct l2cap_chan *chan, + struct l2cap_ctrl *control, + struct sk_buff *skb, u8 event) + { ++ struct l2cap_ctrl local_control; + int err = 0; + bool skb_in_use = false; + +@@ -6909,15 +6910,32 @@ static int l2cap_rx_state_recv(struct l2cap_chan *chan, + chan->buffer_seq = chan->expected_tx_seq; + skb_in_use = true; + ++ /* l2cap_reassemble_sdu may free skb, hence invalidate ++ * control, so make a copy in advance to use it after ++ * l2cap_reassemble_sdu returns and to avoid the race ++ * condition, for example: ++ * ++ * The current thread calls: ++ * l2cap_reassemble_sdu ++ * chan->ops->recv == l2cap_sock_recv_cb ++ * __sock_queue_rcv_skb ++ * Another thread calls: ++ * bt_sock_recvmsg ++ * skb_recv_datagram ++ * skb_free_datagram ++ * Then the current thread tries to access control, but ++ * it was freed by skb_free_datagram. ++ */ ++ local_control = *control; + err = l2cap_reassemble_sdu(chan, skb, control); + if (err) + break; + +- if (control->final) { ++ if (local_control.final) { + if (!test_and_clear_bit(CONN_REJ_ACT, + &chan->conn_state)) { +- control->final = 0; +- l2cap_retransmit_all(chan, control); ++ local_control.final = 0; ++ l2cap_retransmit_all(chan, &local_control); + l2cap_ertm_send(chan); + } + } +@@ -7297,11 +7315,27 @@ static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + struct sk_buff *skb) + { ++ /* l2cap_reassemble_sdu may free skb, hence invalidate control, so store ++ * the txseq field in advance to use it after l2cap_reassemble_sdu ++ * returns and to avoid the race condition, for example: ++ * ++ * The current thread calls: ++ * l2cap_reassemble_sdu ++ * chan->ops->recv == l2cap_sock_recv_cb ++ * __sock_queue_rcv_skb ++ * Another thread calls: ++ * bt_sock_recvmsg ++ * skb_recv_datagram ++ * skb_free_datagram ++ * Then the current thread tries to access control, but it was freed by ++ * skb_free_datagram. ++ */ ++ u16 txseq = control->txseq; ++ + BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb, + chan->rx_state); + +- if (l2cap_classify_txseq(chan, control->txseq) == +- L2CAP_TXSEQ_EXPECTED) { ++ if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) { + l2cap_pass_to_tx(chan, control); + + BT_DBG("buffer_seq %u->%u", chan->buffer_seq, +@@ -7324,8 +7358,8 @@ static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + } + } + +- chan->last_acked_seq = control->txseq; +- chan->expected_tx_seq = __next_seq(chan, control->txseq); ++ chan->last_acked_seq = txseq; ++ chan->expected_tx_seq = __next_seq(chan, txseq); + + return 0; + } +-- +2.35.3 + diff --git a/patches.suse/Bluetooth-L2CAP-fix-use-after-free-in-l2cap_conn_del.patch b/patches.suse/Bluetooth-L2CAP-fix-use-after-free-in-l2cap_conn_del.patch index 19fd396..ca85e45 100644 --- a/patches.suse/Bluetooth-L2CAP-fix-use-after-free-in-l2cap_conn_del.patch +++ b/patches.suse/Bluetooth-L2CAP-fix-use-after-free-in-l2cap_conn_del.patch @@ -1,10 +1,9 @@ -From 42cf46dea905a80f6de218e837ba4d4cc33d6979 Mon Sep 17 00:00:00 2001 +From 0d0e2d032811280b927650ff3c15fe5020e82533 Mon Sep 17 00:00:00 2001 From: Zhengchao Shao Date: Mon, 17 Oct 2022 15:58:13 +0800 Subject: [PATCH] Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() -Git-commit: 42cf46dea905a80f6de218e837ba4d4cc33d6979 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git -Patch-mainline: Queued in subsystem maintainer repo +Git-commit: 0d0e2d032811280b927650ff3c15fe5020e82533 +Patch-mainline: v6.1-rc4 References: CVE-2022-3640 bsc#1204619 When l2cap_recv_frame() is invoked to receive data, and the cid is diff --git a/patches.suse/Bluetooth-virtio_bt-Use-skb_put-to-set-length.patch b/patches.suse/Bluetooth-virtio_bt-Use-skb_put-to-set-length.patch new file mode 100644 index 0000000..57abba0 --- /dev/null +++ b/patches.suse/Bluetooth-virtio_bt-Use-skb_put-to-set-length.patch @@ -0,0 +1,43 @@ +From 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be Mon Sep 17 00:00:00 2001 +From: Soenke Huster +Date: Wed, 12 Oct 2022 09:45:06 +0200 +Subject: [PATCH] Bluetooth: virtio_bt: Use skb_put to set length +Git-commit: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be +Patch-mainline: v6.1-rc4 +References: git-fixes + +By using skb_put we ensure that skb->tail is set +correctly. Currently, skb->tail is always zero, which +leads to errors, such as the following page fault in +Rfcomm_recv_frame: + + BUG: unable to handle page fault for address: ffffed1021de29ff + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + RIP: 0010:rfcomm_run+0x831/0x4040 (net/bluetooth/rfcomm/core.c:1751) + +Fixes: afd2daa26c7a ("Bluetooth: Add support for virtio transport driver") +Signed-off-by: Soenke Huster +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + drivers/bluetooth/virtio_bt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/virtio_bt.c b/drivers/bluetooth/virtio_bt.c +index 67c21263f9e0..fd281d439505 100644 +--- a/drivers/bluetooth/virtio_bt.c ++++ b/drivers/bluetooth/virtio_bt.c +@@ -219,7 +219,7 @@ static void virtbt_rx_work(struct work_struct *work) + if (!skb) + return; + +- skb->len = len; ++ skb_put(skb, len); + virtbt_rx_handle(vbt, skb); + + if (virtbt_add_inbuf(vbt) < 0) +-- +2.35.3 + diff --git a/patches.suse/Documentation-devres-add-missing-I2C-helper.patch b/patches.suse/Documentation-devres-add-missing-I2C-helper.patch new file mode 100644 index 0000000..7f26ef7 --- /dev/null +++ b/patches.suse/Documentation-devres-add-missing-I2C-helper.patch @@ -0,0 +1,33 @@ +From 8e987f1f4da92d9f1dd020418bfab9fe04b1c54c Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Wed, 2 Nov 2022 21:45:59 +0800 +Subject: [PATCH] Documentation: devres: add missing I2C helper +Git-commit: 8e987f1f4da92d9f1dd020418bfab9fe04b1c54c +Patch-mainline: v6.1-rc4 +References: git-fixes + +Add missing devm_i2c_add_adapter() to devres.rst. It's introduced by +commit 07740c92ae57 ("i2c: core: add managed function for adding i2c +adapters"). + +Fixes: 07740c92ae57 ("i2c: core: add managed function for adding i2c adapters") +Signed-off-by: Yang Yingliang +Acked-by: Yicong Yang +Reviewed-by: Andy Shevchenko +Signed-off-by: Wolfram Sang +Acked-by: Takashi Iwai + +--- + Documentation/driver-api/driver-model/devres.rst | 1 + + 1 file changed, 1 insertion(+) + +--- a/Documentation/driver-api/driver-model/devres.rst ++++ b/Documentation/driver-api/driver-model/devres.rst +@@ -280,6 +280,7 @@ GPIO + devm_gpio_free() + + I2C ++ devm_i2c_add_adapter() + devm_i2c_new_dummy_device() + + IIO diff --git a/patches.suse/IB-core-Fix-a-nested-dead-lock-as-part-of-ODP-flow.patch b/patches.suse/IB-core-Fix-a-nested-dead-lock-as-part-of-ODP-flow.patch new file mode 100644 index 0000000..2e444ee --- /dev/null +++ b/patches.suse/IB-core-Fix-a-nested-dead-lock-as-part-of-ODP-flow.patch @@ -0,0 +1,93 @@ +From 85eaeb5058f0f04dffb124c97c86b4f18db0b833 Mon Sep 17 00:00:00 2001 +From: Yishai Hadas +Date: Wed, 24 Aug 2022 09:10:36 +0300 +Subject: [PATCH 1/1] IB/core: Fix a nested dead lock as part of ODP flow +Git-commit: 85eaeb5058f0f04dffb124c97c86b4f18db0b833 +Patch-mainline: v6.0 +References: git-fixes + +Fix a nested dead lock as part of ODP flow by using mmput_async(). + +From the below call trace [1] can see that calling mmput() once we have +the umem_odp->umem_mutex locked as required by +ib_umem_odp_map_dma_and_lock() might trigger in the same task the +exit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which +may dead lock when trying to lock the same mutex. + +Moving to use mmput_async() will solve the problem as the above +exit_mmap() flow will be called in other task and will be executed once +the lock will be available. + +[1] +[64843.077665] task:kworker/u133:2 state:D stack: 0 pid:80906 ppid: +2 flags:0x00004000 +[64843.077672] Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib] +[64843.077719] Call Trace: +[64843.077722] +[64843.077724] __schedule+0x23d/0x590 +[64843.077729] schedule+0x4e/0xb0 +[64843.077735] schedule_preempt_disabled+0xe/0x10 +[64843.077740] __mutex_lock.constprop.0+0x263/0x490 +[64843.077747] __mutex_lock_slowpath+0x13/0x20 +[64843.077752] mutex_lock+0x34/0x40 +[64843.077758] mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib] +[64843.077808] __mmu_notifier_release+0x1a4/0x200 +[64843.077816] exit_mmap+0x1bc/0x200 +[64843.077822] ? walk_page_range+0x9c/0x120 +[64843.077828] ? __cond_resched+0x1a/0x50 +[64843.077833] ? mutex_lock+0x13/0x40 +[64843.077839] ? uprobe_clear_state+0xac/0x120 +[64843.077860] mmput+0x5f/0x140 +[64843.077867] ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core] +[64843.077931] pagefault_real_mr+0x9a/0x140 [mlx5_ib] +[64843.077962] pagefault_mr+0xb4/0x550 [mlx5_ib] +[64843.077992] pagefault_single_data_segment.constprop.0+0x2ac/0x560 +[mlx5_ib] +[64843.078022] mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib] +[64843.078051] process_one_work+0x22b/0x3d0 +[64843.078059] worker_thread+0x53/0x410 +[64843.078065] ? process_one_work+0x3d0/0x3d0 +[64843.078073] kthread+0x12a/0x150 +[64843.078079] ? set_kthread_struct+0x50/0x50 +[64843.078085] ret_from_fork+0x22/0x30 +[64843.078093] + +Fixes: 36f30e486dce ("IB/core: Improve ODP to use hmm_range_fault()") +Reviewed-by: Maor Gottlieb +Signed-off-by: Yishai Hadas +Link: https://lore.kernel.org/r/74d93541ea533ef7daec6f126deb1072500aeb16.1661251841.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/umem_odp.c | 2 +- + kernel/fork.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/umem_odp.c b/drivers/infiniband/core/umem_odp.c +index 186ed8859920..d39e16c211e8 100644 +--- a/drivers/infiniband/core/umem_odp.c ++++ b/drivers/infiniband/core/umem_odp.c +@@ -462,7 +462,7 @@ retry: + mutex_unlock(&umem_odp->umem_mutex); + + out_put_mm: +- mmput(owning_mm); ++ mmput_async(owning_mm); + out_put_task: + if (owning_process) + put_task_struct(owning_process); +diff --git a/kernel/fork.c b/kernel/fork.c +index 90c85b17bf69..8a9e92068b15 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1225,6 +1225,7 @@ void mmput_async(struct mm_struct *mm) + schedule_work(&mm->async_put_work); + } + } ++EXPORT_SYMBOL_GPL(mmput_async); + #endif + + /** +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/arm64-dts-imx8-correct-clock-order.patch b/patches.suse/arm64-dts-imx8-correct-clock-order.patch new file mode 100644 index 0000000..c57baf6 --- /dev/null +++ b/patches.suse/arm64-dts-imx8-correct-clock-order.patch @@ -0,0 +1,63 @@ +From 06acb824d7d00a30e9400f67eee481b218371b5a Mon Sep 17 00:00:00 2001 +From: Peng Fan +Date: Mon, 10 Oct 2022 18:07:47 +0800 +Subject: [PATCH] arm64: dts: imx8: correct clock order +Git-commit: 06acb824d7d00a30e9400f67eee481b218371b5a +Patch-mainline: v6.1-rc4 +References: git-fixes + +Per bindings/mmc/fsl-imx-esdhc.yaml, the clock order is ipg, ahb, per, +otherwise warning: " +Mmc@5b020000: clock-names:1: 'ahb' was expected +Mmc@5b020000: clock-names:2: 'per' was expected " + +Fixes: 16c4ea7501b1 ("arm64: dts: imx8: switch to new lpcg clock binding") +Signed-off-by: Peng Fan +Signed-off-by: Shawn Guo +Acked-by: Takashi Iwai + +--- + arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi +@@ -38,9 +38,9 @@ conn_subsys: bus@5b000000 { + interrupts = ; + reg = <0x5b010000 0x10000>; + clocks = <&sdhc0_lpcg IMX_LPCG_CLK_4>, +- <&sdhc0_lpcg IMX_LPCG_CLK_5>, +- <&sdhc0_lpcg IMX_LPCG_CLK_0>; +- clock-names = "ipg", "per", "ahb"; ++ <&sdhc0_lpcg IMX_LPCG_CLK_0>, ++ <&sdhc0_lpcg IMX_LPCG_CLK_5>; ++ clock-names = "ipg", "ahb", "per"; + power-domains = <&pd IMX_SC_R_SDHC_0>; + status = "disabled"; + }; +@@ -49,9 +49,9 @@ conn_subsys: bus@5b000000 { + interrupts = ; + reg = <0x5b020000 0x10000>; + clocks = <&sdhc1_lpcg IMX_LPCG_CLK_4>, +- <&sdhc1_lpcg IMX_LPCG_CLK_5>, +- <&sdhc1_lpcg IMX_LPCG_CLK_0>; +- clock-names = "ipg", "per", "ahb"; ++ <&sdhc1_lpcg IMX_LPCG_CLK_0>, ++ <&sdhc1_lpcg IMX_LPCG_CLK_5>; ++ clock-names = "ipg", "ahb", "per"; + power-domains = <&pd IMX_SC_R_SDHC_1>; + fsl,tuning-start-tap = <20>; + fsl,tuning-step= <2>; +@@ -62,9 +62,9 @@ conn_subsys: bus@5b000000 { + interrupts = ; + reg = <0x5b030000 0x10000>; + clocks = <&sdhc2_lpcg IMX_LPCG_CLK_4>, +- <&sdhc2_lpcg IMX_LPCG_CLK_5>, +- <&sdhc2_lpcg IMX_LPCG_CLK_0>; +- clock-names = "ipg", "per", "ahb"; ++ <&sdhc2_lpcg IMX_LPCG_CLK_0>, ++ <&sdhc2_lpcg IMX_LPCG_CLK_5>; ++ clock-names = "ipg", "ahb", "per"; + power-domains = <&pd IMX_SC_R_SDHC_2>; + status = "disabled"; + }; diff --git a/patches.suse/arm64-dts-juno-Add-thermal-critical-trip-points.patch b/patches.suse/arm64-dts-juno-Add-thermal-critical-trip-points.patch new file mode 100644 index 0000000..2ce3b96 --- /dev/null +++ b/patches.suse/arm64-dts-juno-Add-thermal-critical-trip-points.patch @@ -0,0 +1,62 @@ +From c4a7b9b587ca1bb4678d48d8be7132492b23a81c Mon Sep 17 00:00:00 2001 +From: Cristian Marussi +Date: Fri, 28 Oct 2022 15:08:33 +0100 +Subject: [PATCH] arm64: dts: juno: Add thermal critical trip points +Git-commit: c4a7b9b587ca1bb4678d48d8be7132492b23a81c +Patch-mainline: v6.1-rc4 +References: git-fixes + +When thermnal zones are defined, trip points definitions are mandatory. +Define a couple of critical trip points for monitoring of existing +PMIC and SOC thermal zones. + +This was lost between txt to yaml conversion and was re-enforced recently +via the commit 8c596324232d ("dt-bindings: thermal: Fix missing required property") + +Cc: Rob Herring +Cc: Krzysztof Kozlowski +Cc: devicetree@vger.kernel.org +Signed-off-by: Cristian Marussi +Fixes: f7b636a8d83c ("arm64: dts: juno: add thermal zones for scpi sensors") +Link: https://lore.kernel.org/r/20221028140833.280091-8-cristian.marussi@arm.com +Signed-off-by: Sudeep Holla +Acked-by: Takashi Iwai + +--- + arch/arm64/boot/dts/arm/juno-base.dtsi | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/arch/arm64/boot/dts/arm/juno-base.dtsi b/arch/arm64/boot/dts/arm/juno-base.dtsi +index 2f27619d8abd..8b4d280b1e7e 100644 +--- a/arch/arm64/boot/dts/arm/juno-base.dtsi ++++ b/arch/arm64/boot/dts/arm/juno-base.dtsi +@@ -751,12 +751,26 @@ pmic { + polling-delay = <1000>; + polling-delay-passive = <100>; + thermal-sensors = <&scpi_sensors0 0>; ++ trips { ++ pmic_crit0: trip0 { ++ temperature = <90000>; ++ hysteresis = <2000>; ++ type = "critical"; ++ }; ++ }; + }; + + soc { + polling-delay = <1000>; + polling-delay-passive = <100>; + thermal-sensors = <&scpi_sensors0 3>; ++ trips { ++ soc_crit0: trip0 { ++ temperature = <80000>; ++ hysteresis = <2000>; ++ type = "critical"; ++ }; ++ }; + }; + + big_cluster_thermal_zone: big-cluster { +-- +2.35.3 + diff --git a/patches.suse/arm64-dts-ls1088a-specify-clock-frequencies-for-the-.patch b/patches.suse/arm64-dts-ls1088a-specify-clock-frequencies-for-the-.patch new file mode 100644 index 0000000..f3e065e --- /dev/null +++ b/patches.suse/arm64-dts-ls1088a-specify-clock-frequencies-for-the-.patch @@ -0,0 +1,44 @@ +From d78a57426e64fc4c61e6189e450a0432d24536ca Mon Sep 17 00:00:00 2001 +From: Ioana Ciornei +Date: Tue, 25 Oct 2022 17:41:16 +0300 +Subject: [PATCH] arm64: dts: ls1088a: specify clock frequencies for the MDIO controllers +Git-commit: d78a57426e64fc4c61e6189e450a0432d24536ca +Patch-mainline: v6.1-rc4 +References: git-fixes + +Up until now, the external MDIO controller frequency values relied +either on the default ones out of reset or on those setup by u-boot. +Let's just properly specify the MDC frequency in the DTS so that even +without u-boot's intervention Linux can drive the MDIO bus. + +Fixes: bbe75af7b092 ("arm64: dts: ls1088a: add external MDIO device nodes") +Signed-off-by: Ioana Ciornei +Signed-off-by: Shawn Guo +Acked-by: Takashi Iwai + +--- + arch/arm64/boot/dts/freescale/fsl-ls1088a.dtsi | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm64/boot/dts/freescale/fsl-ls1088a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1088a.dtsi +@@ -762,6 +762,9 @@ + little-endian; + #address-cells = <1>; + #size-cells = <0>; ++ clock-frequency = <2500000>; ++ clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL ++ QORIQ_CLK_PLL_DIV(1)>; + status = "disabled"; + }; + +@@ -771,6 +774,9 @@ + little-endian; + #address-cells = <1>; + #size-cells = <0>; ++ clock-frequency = <2500000>; ++ clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL ++ QORIQ_CLK_PLL_DIV(1)>; + status = "disabled"; + + pcs2: ethernet-phy@0 { diff --git a/patches.suse/arm64-dts-ls208xa-specify-clock-frequencies-for-the-.patch b/patches.suse/arm64-dts-ls208xa-specify-clock-frequencies-for-the-.patch new file mode 100644 index 0000000..2cf167f --- /dev/null +++ b/patches.suse/arm64-dts-ls208xa-specify-clock-frequencies-for-the-.patch @@ -0,0 +1,44 @@ +From d5c921a53c80dfa942f6dff36253db5a50775a5f Mon Sep 17 00:00:00 2001 +From: Ioana Ciornei +Date: Tue, 25 Oct 2022 17:41:17 +0300 +Subject: [PATCH] arm64: dts: ls208xa: specify clock frequencies for the MDIO controllers +Git-commit: d5c921a53c80dfa942f6dff36253db5a50775a5f +Patch-mainline: v6.1-rc4 +References: git-fixes + +Up until now, the external MDIO controller frequency values relied +either on the default ones out of reset or on those setup by u-boot. +Let's just properly specify the MDC frequency in the DTS so that even +without u-boot's intervention Linux can drive the MDIO bus. + +Fixes: 0420dde30a90 ("arm64: dts: ls208xa: add the external MDIO nodes") +Signed-off-by: Ioana Ciornei +Signed-off-by: Shawn Guo +Acked-by: Takashi Iwai + +--- + arch/arm64/boot/dts/freescale/fsl-ls208xa.dtsi | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm64/boot/dts/freescale/fsl-ls208xa.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls208xa.dtsi +@@ -534,6 +534,9 @@ + little-endian; + #address-cells = <1>; + #size-cells = <0>; ++ clock-frequency = <2500000>; ++ clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL ++ QORIQ_CLK_PLL_DIV(2)>; + status = "disabled"; + }; + +@@ -543,6 +546,9 @@ + little-endian; + #address-cells = <1>; + #size-cells = <0>; ++ clock-frequency = <2500000>; ++ clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL ++ QORIQ_CLK_PLL_DIV(2)>; + status = "disabled"; + + pcs1: ethernet-phy@0 { diff --git a/patches.suse/arm64-dts-lx2160a-specify-clock-frequencies-for-the-.patch b/patches.suse/arm64-dts-lx2160a-specify-clock-frequencies-for-the-.patch new file mode 100644 index 0000000..cef4f5f --- /dev/null +++ b/patches.suse/arm64-dts-lx2160a-specify-clock-frequencies-for-the-.patch @@ -0,0 +1,50 @@ +From c126a0abc5dadd7df236f20aae6d8c3d103f095c Mon Sep 17 00:00:00 2001 +From: Ioana Ciornei +Date: Tue, 25 Oct 2022 17:41:15 +0300 +Subject: [PATCH] arm64: dts: lx2160a: specify clock frequencies for the MDIO controllers +Git-commit: c126a0abc5dadd7df236f20aae6d8c3d103f095c +Patch-mainline: v6.1-rc4 +References: git-fixes + +Up until now, the external MDIO controller frequency values relied +either on the default ones out of reset or on those setup by u-boot. +Let's just properly specify the MDC frequency in the DTS so that even +without u-boot's intervention Linux can drive the MDIO bus. + +Fixes: 6e1b8fae892d ("arm64: dts: lx2160a: add emdio1 node") +Fixes: 5705b9dcda57 ("arm64: dts: lx2160a: add emdio2 node") +Signed-off-by: Ioana Ciornei +Signed-off-by: Shawn Guo +Acked-by: Takashi Iwai + +--- + arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi +index 6680fb2a6dc9..8c76d86cb756 100644 +--- a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi +@@ -1385,6 +1385,9 @@ emdio1: mdio@8b96000 { + #address-cells = <1>; + #size-cells = <0>; + little-endian; ++ clock-frequency = <2500000>; ++ clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL ++ QORIQ_CLK_PLL_DIV(2)>; + status = "disabled"; + }; + +@@ -1395,6 +1398,9 @@ emdio2: mdio@8b97000 { + little-endian; + #address-cells = <1>; + #size-cells = <0>; ++ clock-frequency = <2500000>; ++ clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL ++ QORIQ_CLK_PLL_DIV(2)>; + status = "disabled"; + }; + +-- +2.35.3 + diff --git a/patches.suse/arm64-entry-avoid-kprobe-recursion.patch b/patches.suse/arm64-entry-avoid-kprobe-recursion.patch new file mode 100644 index 0000000..0dd6826 --- /dev/null +++ b/patches.suse/arm64-entry-avoid-kprobe-recursion.patch @@ -0,0 +1,134 @@ +From 024f4b2e1f874934943eb2d3d288ebc52c79f55c Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Mon, 17 Oct 2022 10:01:57 +0100 +Subject: [PATCH] arm64: entry: avoid kprobe recursion +Git-commit: 024f4b2e1f874934943eb2d3d288ebc52c79f55c +Patch-mainline: v6.1-rc4 +References: git-fixes + +The cortex_a76_erratum_1463225_debug_handler() function is called when +handling debug exceptions (and synchronous exceptions from BRK +instructions), and so is called when a probed function executes. If the +compiler does not inline cortex_a76_erratum_1463225_debug_handler(), it +can be probed. + +If cortex_a76_erratum_1463225_debug_handler() is probed, any debug +exception or software breakpoint exception will result in recursive +exceptions leading to a stack overflow. This can be triggered with the +ftrace multiple_probes selftest, and as per the example splat below. + +This is a regression caused by commit: + + 6459b8469753e9fe ("arm64: entry: consolidate Cortex-A76 erratum 1463225 workaround") + +... which removed the NOKPROBE_SYMBOL() annotation associated with the +function. + +My intent was that cortex_a76_erratum_1463225_debug_handler() would be +inlined into its caller, el1_dbg(), which is marked noinstr and cannot +be probed. Mark cortex_a76_erratum_1463225_debug_handler() as +__always_inline to ensure this. + +Example splat prior to this patch (with recursive entries elided): + +| # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events +| # echo p do_el0_svc >> /sys/kernel/debug/tracing/kprobe_events +| # echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable +| Insufficient stack space to handle exception! +| ESR: 0x0000000096000047 -- DABT (current EL) +| FAR: 0xffff800009cefff0 +| Task stack: [0xffff800009cf0000..0xffff800009cf4000] +| IRQ stack: [0xffff800008000000..0xffff800008004000] +| Overflow stack: [0xffff00007fbc00f0..0xffff00007fbc10f0] +| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2 +| Hardware name: linux,dummy-virt (DT) +| pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +| pc : arm64_enter_el1_dbg+0x4/0x20 +| lr : el1_dbg+0x24/0x5c +| sp : ffff800009cf0000 +| x29: ffff800009cf0000 x28: ffff000002c74740 x27: 0000000000000000 +| x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 +| x23: 00000000604003c5 x22: ffff80000801745c x21: 0000aaaac95ac068 +| x20: 00000000f2000004 x19: ffff800009cf0040 x18: 0000000000000000 +| x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +| x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 +| x11: 0000000000000010 x10: ffff800008c87190 x9 : ffff800008ca00d0 +| x8 : 000000000000003c x7 : 0000000000000000 x6 : 0000000000000000 +| x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000043a4 +| x2 : 00000000f2000004 x1 : 00000000f2000004 x0 : ffff800009cf0040 +| Kernel panic - not syncing: kernel stack overflow +| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2 +| Hardware name: linux,dummy-virt (DT) +| Call trace: +| dump_backtrace+0xe4/0x104 +| show_stack+0x18/0x4c +| dump_stack_lvl+0x64/0x7c +| dump_stack+0x18/0x38 +| panic+0x14c/0x338 +| test_taint+0x0/0x2c +| panic_bad_stack+0x104/0x118 +| handle_bad_stack+0x34/0x48 +| __bad_stack+0x78/0x7c +| arm64_enter_el1_dbg+0x4/0x20 +| el1h_64_sync_handler+0x40/0x98 +| el1h_64_sync+0x64/0x68 +| cortex_a76_erratum_1463225_debug_handler+0x0/0x34 +... +| el1h_64_sync_handler+0x40/0x98 +| el1h_64_sync+0x64/0x68 +| cortex_a76_erratum_1463225_debug_handler+0x0/0x34 +... +| el1h_64_sync_handler+0x40/0x98 +| el1h_64_sync+0x64/0x68 +| cortex_a76_erratum_1463225_debug_handler+0x0/0x34 +| el1h_64_sync_handler+0x40/0x98 +| el1h_64_sync+0x64/0x68 +| do_el0_svc+0x0/0x28 +| el0t_64_sync_handler+0x84/0xf0 +| el0t_64_sync+0x18c/0x190 +| Kernel Offset: disabled +| CPU features: 0x0080,00005021,19001080 +| Memory Limit: none +| ---[ end Kernel panic - not syncing: kernel stack overflow ]--- + +With this patch, cortex_a76_erratum_1463225_debug_handler() is inlined +into el1_dbg(), and el1_dbg() cannot be probed: + +| # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events +| sh: write error: No such file or directory +| # grep -w cortex_a76_erratum_1463225_debug_handler /proc/kallsyms | wc -l +| 0 +| # echo p el1_dbg > /sys/kernel/debug/tracing/kprobe_events +| sh: write error: Invalid argument +| # grep -w el1_dbg /proc/kallsyms | wc -l +| 1 + +Fixes: 6459b8469753 ("arm64: entry: consolidate Cortex-A76 erratum 1463225 workaround") +Cc: # 5.12.x +Signed-off-by: Mark Rutland +Cc: Will Deacon +Link: https://lore.kernel.org/r/20221017090157.2881408-1-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Acked-by: Takashi Iwai + +--- + arch/arm64/kernel/entry-common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c +index 9173fad279af..27369fa1c032 100644 +--- a/arch/arm64/kernel/entry-common.c ++++ b/arch/arm64/kernel/entry-common.c +@@ -329,7 +329,8 @@ static void cortex_a76_erratum_1463225_svc_handler(void) + __this_cpu_write(__in_cortex_a76_erratum_1463225_wa, 0); + } + +-static bool cortex_a76_erratum_1463225_debug_handler(struct pt_regs *regs) ++static __always_inline bool ++cortex_a76_erratum_1463225_debug_handler(struct pt_regs *regs) + { + if (!__this_cpu_read(__in_cortex_a76_erratum_1463225_wa)) + return false; +-- +2.35.3 + diff --git a/patches.suse/ata-pata_legacy-fix-pdc20230_set_piomode.patch b/patches.suse/ata-pata_legacy-fix-pdc20230_set_piomode.patch new file mode 100644 index 0000000..6c90e3f --- /dev/null +++ b/patches.suse/ata-pata_legacy-fix-pdc20230_set_piomode.patch @@ -0,0 +1,45 @@ +From 171a93182eccd6e6835d2c86b40787f9f832efaa Mon Sep 17 00:00:00 2001 +From: Sergey Shtylyov +Date: Sat, 29 Oct 2022 00:07:06 +0300 +Subject: [PATCH] ata: pata_legacy: fix pdc20230_set_piomode() +Git-commit: 171a93182eccd6e6835d2c86b40787f9f832efaa +Patch-mainline: v6.1-rc4 +References: git-fixes + +Clang gives a warning when compiling pata_legacy.c with 'make W=1' about +the 'rt' local variable in pdc20230_set_piomode() being set but unused. +Quite obviously, there is an outb() call missing to write back the updated +variable. Moreover, checking the docs by Petr Soucek revealed that bitwise +AND should have been done with a negated timing mask and the master/slave +timing masks were swapped while updating... + +Fixes: 669a5db411d8 ("[libata] Add a bunch of PATA drivers.") +Reported-by: Damien Le Moal +Signed-off-by: Sergey Shtylyov +Signed-off-by: Damien Le Moal +Acked-by: Takashi Iwai + +--- + drivers/ata/pata_legacy.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/pata_legacy.c b/drivers/ata/pata_legacy.c +index 0a8bf09a5c19..03c580625c2c 100644 +--- a/drivers/ata/pata_legacy.c ++++ b/drivers/ata/pata_legacy.c +@@ -315,9 +315,10 @@ static void pdc20230_set_piomode(struct ata_port *ap, struct ata_device *adev) + outb(inb(0x1F4) & 0x07, 0x1F4); + + rt = inb(0x1F3); +- rt &= 0x07 << (3 * adev->devno); ++ rt &= ~(0x07 << (3 * !adev->devno)); + if (pio) +- rt |= (1 + 3 * pio) << (3 * adev->devno); ++ rt |= (1 + 3 * pio) << (3 * !adev->devno); ++ outb(rt, 0x1F3); + + udelay(100); + outb(inb(0x1F2) | 0x01, 0x1F2); +-- +2.35.3 + diff --git a/patches.suse/dt-bindings-power-gpcv2-add-power-domains-property.patch b/patches.suse/dt-bindings-power-gpcv2-add-power-domains-property.patch new file mode 100644 index 0000000..4315d3b --- /dev/null +++ b/patches.suse/dt-bindings-power-gpcv2-add-power-domains-property.patch @@ -0,0 +1,41 @@ +From ef370d8ceec62322dee24c960af8ca67a749f34d Mon Sep 17 00:00:00 2001 +From: Peng Fan +Date: Mon, 10 Oct 2022 18:09:58 +0800 +Subject: [PATCH] dt-bindings: power: gpcv2: add power-domains property +Git-commit: ef370d8ceec62322dee24c960af8ca67a749f34d +Patch-mainline: v6.1-rc4 +References: git-fixes + +Some pgc power-domain requires a parent power domain, so +add an optional power-domains property, otherwise there will be +dt check warning: +Gpc@303a0000: pgc:power-domain@1: 'power-domains' does not match +any of the regexes: 'pinctrl-[0-9]+' + +Fixes: 30af8513bdb5 ("dt-bindings: power: add defines for i.MX8MM power domains") +Signed-off-by: Peng Fan +Acked-by: Krzysztof Kozlowski +Signed-off-by: Shawn Guo +Acked-by: Takashi Iwai + +--- + Documentation/devicetree/bindings/power/fsl,imx-gpcv2.yaml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/Documentation/devicetree/bindings/power/fsl,imx-gpcv2.yaml b/Documentation/devicetree/bindings/power/fsl,imx-gpcv2.yaml +index 58022ae7d5dd..dfdb8dfb6b65 100644 +--- a/Documentation/devicetree/bindings/power/fsl,imx-gpcv2.yaml ++++ b/Documentation/devicetree/bindings/power/fsl,imx-gpcv2.yaml +@@ -81,6 +81,9 @@ properties: + + power-supply: true + ++ power-domains: ++ maxItems: 1 ++ + resets: + description: | + A number of phandles to resets that need to be asserted during +-- +2.35.3 + diff --git a/patches.suse/efi-tpm-Pass-correct-address-to-memblock_reserve.patch b/patches.suse/efi-tpm-Pass-correct-address-to-memblock_reserve.patch new file mode 100644 index 0000000..11cc9f9 --- /dev/null +++ b/patches.suse/efi-tpm-Pass-correct-address-to-memblock_reserve.patch @@ -0,0 +1,46 @@ +From f4cd18c5b2000df0c382f6530eeca9141ea41faf Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Sat, 22 Oct 2022 08:23:52 -0700 +Subject: [PATCH] efi/tpm: Pass correct address to memblock_reserve +Git-commit: f4cd18c5b2000df0c382f6530eeca9141ea41faf +Patch-mainline: v6.1-rc4 +References: git-fixes + +memblock_reserve() expects a physical address, but the address being +passed for the TPM final events log is what was returned from +early_memremap(). This results in something like the following: + +[ 0.000000] memblock_reserve: [0xffffffffff2c0000-0xffffffffff2c00e4] efi_tpm_eventlog_init+0x324/0x370 + +Pass the address from efi like what is done for the TPM events log. + +Fixes: c46f3405692d ("tpm: Reserve the TPM final events table") +Cc: Matthew Garrett +Cc: Jarkko Sakkinen +Cc: Bartosz Szczepanek +Cc: Ard Biesheuvel +Signed-off-by: Jerry Snitselaar +Acked-by: Jarkko Sakkinen +Signed-off-by: Ard Biesheuvel +Acked-by: Takashi Iwai + +--- + drivers/firmware/efi/tpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c +index 8f665678e9e3..e8d69bd548f3 100644 +--- a/drivers/firmware/efi/tpm.c ++++ b/drivers/firmware/efi/tpm.c +@@ -97,7 +97,7 @@ int __init efi_tpm_eventlog_init(void) + goto out_calc; + } + +- memblock_reserve((unsigned long)final_tbl, ++ memblock_reserve(efi.tpm_final_log, + tbl_size + sizeof(*final_tbl)); + efi_tpm_final_log_size = tbl_size; + +-- +2.35.3 + diff --git a/patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch b/patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch index 9dcdef7..05ee5f0 100644 --- a/patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch +++ b/patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch @@ -2,9 +2,8 @@ From 6a7bca685c93fd18133d313716e141faac3bddc3 Mon Sep 17 00:00:00 2001 From: Hyunwoo Kim Date: Sun, 25 Sep 2022 06:32:43 -0700 Subject: [PATCH] fbdev: smscufx: Fix use-after-free in ufx_ops_open() -Git-commit: 6a7bca685c93fd18133d313716e141faac3bddc3 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev.git -Patch-mainline: Queued in subsystem maintainer repo +Git-commit: cc67482c9e5f2c80d62f623bcc347c29f9f648e1 +Patch-mainline: v6.1-rc3 References: CVE-2022-41849 bsc#1203992 A race condition may occur if the user physically removes the diff --git a/patches.suse/firmware-arm_scmi-Make-Rx-chan_setup-fail-on-memory-.patch b/patches.suse/firmware-arm_scmi-Make-Rx-chan_setup-fail-on-memory-.patch new file mode 100644 index 0000000..7eeb093 --- /dev/null +++ b/patches.suse/firmware-arm_scmi-Make-Rx-chan_setup-fail-on-memory-.patch @@ -0,0 +1,46 @@ +From be9ba1f7f9e0b565b19f4294f5871da9d654bc6d Mon Sep 17 00:00:00 2001 +From: Cristian Marussi +Date: Fri, 28 Oct 2022 15:08:29 +0100 +Subject: [PATCH] firmware: arm_scmi: Make Rx chan_setup fail on memory errors +Git-commit: be9ba1f7f9e0b565b19f4294f5871da9d654bc6d +Patch-mainline: v6.1-rc4 +References: git-fixes + +SCMI Rx channels are optional and they can fail to be setup when not +present but anyway channels setup routines must bail-out on memory errors. + +Make channels setup, and related probing, fail when memory errors are +reported on Rx channels. + +Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type") +Signed-off-by: Cristian Marussi +Link: https://lore.kernel.org/r/20221028140833.280091-4-cristian.marussi@arm.com +Signed-off-by: Sudeep Holla +Acked-by: Takashi Iwai + +--- + drivers/firmware/arm_scmi/driver.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c +index 985775f210f9..f818d00bb2c6 100644 +--- a/drivers/firmware/arm_scmi/driver.c ++++ b/drivers/firmware/arm_scmi/driver.c +@@ -2045,8 +2045,12 @@ scmi_txrx_setup(struct scmi_info *info, struct device *dev, int prot_id) + { + int ret = scmi_chan_setup(info, dev, prot_id, true); + +- if (!ret) /* Rx is optional, hence no error check */ +- scmi_chan_setup(info, dev, prot_id, false); ++ if (!ret) { ++ /* Rx is optional, report only memory errors */ ++ ret = scmi_chan_setup(info, dev, prot_id, false); ++ if (ret && ret != -ENOMEM) ++ ret = 0; ++ } + + return ret; + } +-- +2.35.3 + diff --git a/patches.suse/firmware-arm_scmi-Suppress-the-driver-s-bind-attribu.patch b/patches.suse/firmware-arm_scmi-Suppress-the-driver-s-bind-attribu.patch new file mode 100644 index 0000000..448ab18 --- /dev/null +++ b/patches.suse/firmware-arm_scmi-Suppress-the-driver-s-bind-attribu.patch @@ -0,0 +1,36 @@ +From fd96fbc8fad35d6b1872c90df8a2f5d721f14d91 Mon Sep 17 00:00:00 2001 +From: Cristian Marussi +Date: Fri, 28 Oct 2022 15:08:27 +0100 +Subject: [PATCH] firmware: arm_scmi: Suppress the driver's bind attributes +Git-commit: fd96fbc8fad35d6b1872c90df8a2f5d721f14d91 +Patch-mainline: v6.1-rc4 +References: git-fixes + +Suppress the capability to unbind the core SCMI driver since all the +SCMI stack protocol drivers depend on it. + +Fixes: aa4f886f3893 ("firmware: arm_scmi: add basic driver infrastructure for SCMI") +Signed-off-by: Cristian Marussi +Link: https://lore.kernel.org/r/20221028140833.280091-2-cristian.marussi@arm.com +Signed-off-by: Sudeep Holla +Acked-by: Takashi Iwai + +--- + drivers/firmware/arm_scmi/driver.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c +index 7e19b6055d75..94be633b55a0 100644 +--- a/drivers/firmware/arm_scmi/driver.c ++++ b/drivers/firmware/arm_scmi/driver.c +@@ -2578,6 +2578,7 @@ MODULE_DEVICE_TABLE(of, scmi_of_match); + static struct platform_driver scmi_driver = { + .driver = { + .name = "arm-scmi", ++ .suppress_bind_attrs = true, + .of_match_table = scmi_of_match, + .dev_groups = versions_groups, + }, +-- +2.35.3 + diff --git a/patches.suse/fs-binfmt_elf-Fix-memory-leak-in-load_elf_binary.patch b/patches.suse/fs-binfmt_elf-Fix-memory-leak-in-load_elf_binary.patch new file mode 100644 index 0000000..331eebc --- /dev/null +++ b/patches.suse/fs-binfmt_elf-Fix-memory-leak-in-load_elf_binary.patch @@ -0,0 +1,72 @@ +From 594d2a14f2168c09b13b114c3d457aa939403e52 Mon Sep 17 00:00:00 2001 +From: Li Zetao +Date: Mon, 24 Oct 2022 23:44:21 +0800 +Subject: [PATCH] fs/binfmt_elf: Fix memory leak in load_elf_binary() +Git-commit: 594d2a14f2168c09b13b114c3d457aa939403e52 +Patch-mainline: v6.1-rc3 +References: git-fixes + +There is a memory leak reported by kmemleak: + + unreferenced object 0xffff88817104ef80 (size 224): + comm "xfs_admin", pid 47165, jiffies 4298708825 (age 1333.476s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 60 a8 b3 00 81 88 ff ff a8 10 5a 00 81 88 ff ff `.........Z..... + backtrace: + [] __alloc_file+0x21/0x250 + [] alloc_empty_file+0x41/0xf0 + [] path_openat+0xea/0x3d30 + [] do_filp_open+0x1b9/0x290 + [] do_open_execat+0xce/0x5b0 + [] open_exec+0x27/0x50 + [] load_elf_binary+0x510/0x3ed0 + [] bprm_execve+0x599/0x1240 + [] do_execveat_common.isra.0+0x4c7/0x680 + [] __x64_sys_execve+0x88/0xb0 + [] do_syscall_64+0x35/0x80 + +If "interp_elf_ex" fails to allocate memory in load_elf_binary(), +the program will take the "out_free_ph" error handing path, +resulting in "interpreter" file resource is not released. + +Fix it by adding an error handing path "out_free_file", which will +release the file resource when "interp_elf_ex" failed to allocate +memory. + +Fixes: 0693ffebcfe5 ("fs/binfmt_elf.c: allocate less for static executable") +Signed-off-by: Li Zetao +Reviewed-by: Alexey Dobriyan +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20221024154421.982230-1-lizetao1@huawei.com +Acked-by: Takashi Iwai + +--- + fs/binfmt_elf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 63c7ebb0da89..6a11025e5850 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -911,7 +911,7 @@ static int load_elf_binary(struct linux_binprm *bprm) + interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL); + if (!interp_elf_ex) { + retval = -ENOMEM; +- goto out_free_ph; ++ goto out_free_file; + } + + /* Get the exec headers */ +@@ -1354,6 +1354,7 @@ static int load_elf_binary(struct linux_binprm *bprm) + out_free_dentry: + kfree(interp_elf_ex); + kfree(interp_elf_phdata); ++out_free_file: + allow_write_access(interpreter); + if (interpreter) + fput(interpreter); +-- +2.35.3 + diff --git a/patches.suse/i2c-piix4-Fix-adapter-not-be-removed-in-piix4_remove.patch b/patches.suse/i2c-piix4-Fix-adapter-not-be-removed-in-piix4_remove.patch new file mode 100644 index 0000000..4718a81 --- /dev/null +++ b/patches.suse/i2c-piix4-Fix-adapter-not-be-removed-in-piix4_remove.patch @@ -0,0 +1,81 @@ +From 569bea74c94d37785682b11bab76f557520477cd Mon Sep 17 00:00:00 2001 +From: Chen Zhongjin +Date: Thu, 27 Oct 2022 20:13:53 +0800 +Subject: [PATCH] i2c: piix4: Fix adapter not be removed in piix4_remove() +Git-commit: 569bea74c94d37785682b11bab76f557520477cd +Patch-mainline: v6.1-rc4 +References: git-fixes + +In piix4_probe(), the piix4 adapter will be registered in: + + piix4_probe() + piix4_add_adapters_sb800() / piix4_add_adapter() + i2c_add_adapter() + +Based on the probed device type, piix4_add_adapters_sb800() or single +piix4_add_adapter() will be called. +For the former case, piix4_adapter_count is set as the number of adapters, +while for antoher case it is not set and kept default *zero*. + +When piix4 is removed, piix4_remove() removes the adapters added in +piix4_probe(), basing on the piix4_adapter_count value. +Because the count is zero for the single adapter case, the adapter won't +be removed and makes the sources allocated for adapter leaked, such as +the i2c client and device. + +These sources can still be accessed by i2c or bus and cause problems. +An easily reproduced case is that if a new adapter is registered, i2c +will get the leaked adapter and try to call smbus_algorithm, which was +already freed: + +Triggered by: rmmod i2c_piix4 && modprobe max31730 + + BUG: unable to handle page fault for address: ffffffffc053d860 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + Oops: 0000 [#1] PREEMPT SMP KASAN + CPU: 0 PID: 3752 Comm: modprobe Tainted: G + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) + RIP: 0010:i2c_default_probe (drivers/i2c/i2c-core-base.c:2259) i2c_core + RSP: 0018:ffff888107477710 EFLAGS: 00000246 + ... + + i2c_detect (drivers/i2c/i2c-core-base.c:2302) i2c_core + __process_new_driver (drivers/i2c/i2c-core-base.c:1336) i2c_core + bus_for_each_dev (drivers/base/bus.c:301) + i2c_for_each_dev (drivers/i2c/i2c-core-base.c:1823) i2c_core + i2c_register_driver (drivers/i2c/i2c-core-base.c:1861) i2c_core + do_one_initcall (init/main.c:1296) + do_init_module (kernel/module/main.c:2455) + ... + + ---[ end trace 0000000000000000 ]--- + +Fix this problem by correctly set piix4_adapter_count as 1 for the +single adapter so it can be normally removed. + +Fixes: 528d53a1592b ("i2c: piix4: Fix probing of reserved ports on AMD Family 16h Model 30h") +Signed-off-by: Chen Zhongjin +Reviewed-by: Jean Delvare +Signed-off-by: Wolfram Sang +Acked-by: Takashi Iwai + +--- + drivers/i2c/busses/i2c-piix4.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/busses/i2c-piix4.c b/drivers/i2c/busses/i2c-piix4.c +index 39cb1b7bb865..809fbd014cd6 100644 +--- a/drivers/i2c/busses/i2c-piix4.c ++++ b/drivers/i2c/busses/i2c-piix4.c +@@ -1080,6 +1080,7 @@ static int piix4_probe(struct pci_dev *dev, const struct pci_device_id *id) + "", &piix4_main_adapters[0]); + if (retval < 0) + return retval; ++ piix4_adapter_count = 1; + } + + /* Check for auxiliary SMBus on some AMD chipsets */ +-- +2.35.3 + diff --git a/patches.suse/ice-Allow-operation-with-reduced-device-MSI-X.patch b/patches.suse/ice-Allow-operation-with-reduced-device-MSI-X.patch index 2262277..25a5a7e 100644 --- a/patches.suse/ice-Allow-operation-with-reduced-device-MSI-X.patch +++ b/patches.suse/ice-Allow-operation-with-reduced-device-MSI-X.patch @@ -2,8 +2,9 @@ From ce4626131112e1d0066a890371e14d8091323f99 Mon Sep 17 00:00:00 2001 From: Tony Nguyen Date: Mon, 22 Aug 2022 11:56:54 -0700 Subject: ice: Allow operation with reduced device MSI-X +Git-commit: ce4626131112e1d0066a890371e14d8091323f99 References: bsc#1201987 -Patch-mainline: not yet, in net-next queue as of 22/08/2022 +Patch-mainline: v6.1-rc1 The driver currently takes an all or nothing approach for device MSI-X vectors. Meaning if it does not get its full allocation, it will fail and diff --git a/patches.suse/isdn-mISDN-netjet-fix-wrong-check-of-device-registra.patch b/patches.suse/isdn-mISDN-netjet-fix-wrong-check-of-device-registra.patch new file mode 100644 index 0000000..a0f06bc --- /dev/null +++ b/patches.suse/isdn-mISDN-netjet-fix-wrong-check-of-device-registra.patch @@ -0,0 +1,37 @@ +From bf00f5426074249058a106a6edbb89e4b25a4d79 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Mon, 31 Oct 2022 20:13:41 +0800 +Subject: [PATCH] isdn: mISDN: netjet: fix wrong check of device registration +Git-commit: bf00f5426074249058a106a6edbb89e4b25a4d79 +Patch-mainline: v6.1-rc4 +References: git-fixes + +The class is set in mISDN_register_device(), but if device_add() returns +error, it will lead to delete a device without added, fix this by using +device_is_registered() to check if the device is registered. + +Fixes: a900845e5661 ("mISDN: Add support for Traverse Technologies NETJet PCI cards") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/isdn/hardware/mISDN/netjet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/isdn/hardware/mISDN/netjet.c b/drivers/isdn/hardware/mISDN/netjet.c +index a52f275f8263..f8447135a902 100644 +--- a/drivers/isdn/hardware/mISDN/netjet.c ++++ b/drivers/isdn/hardware/mISDN/netjet.c +@@ -956,7 +956,7 @@ nj_release(struct tiger_hw *card) + } + if (card->irq > 0) + free_irq(card->irq, card); +- if (card->isac.dch.dev.dev.class) ++ if (device_is_registered(&card->isac.dch.dev.dev)) + mISDN_unregister_device(&card->isac.dch.dev); + + for (i = 0; i < 2; i++) { +-- +2.35.3 + diff --git a/patches.suse/kernfs-fix-use-after-free-in-__kernfs_remove.patch b/patches.suse/kernfs-fix-use-after-free-in-__kernfs_remove.patch new file mode 100644 index 0000000..ab86cf5 --- /dev/null +++ b/patches.suse/kernfs-fix-use-after-free-in-__kernfs_remove.patch @@ -0,0 +1,193 @@ +From 4abc99652812a2ddf932f137515d5c5a04723538 Mon Sep 17 00:00:00 2001 +From: "Christian A. Ehrhardt" +Date: Tue, 13 Sep 2022 14:17:23 +0200 +Subject: [PATCH] kernfs: fix use-after-free in __kernfs_remove +Git-commit: 4abc99652812a2ddf932f137515d5c5a04723538 +Patch-mainline: v6.1-rc1 +References: git-fixes + +Syzkaller managed to trigger concurrent calls to +kernfs_remove_by_name_ns() for the same file resulting in +a KASAN detected use-after-free. The race occurs when the root +node is freed during kernfs_drain(). + +To prevent this acquire an additional reference for the root +of the tree that is removed before calling __kernfs_remove(). + +Found by syzkaller with the following reproducer (slab_nomerge is +Required): + +syz_mount_image$ext4(0x0, &(0x7f0000000100)='./file0\x00', 0x100000, 0x0, 0x0, 0x0, 0x0) +r0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/self/exe\x00', 0x0, 0x0) +close(r0) +pipe2(&(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}, 0x800) +mount$9p_fd(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f00000000c0), 0x408, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@cache_loose}, {@mmap}, {@loose}, {@loose}, {@mmap}], [{@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@fsmagic={'fsmagic', 0x3d, 0x10001}}, {@dont_hash}]}}) + +Sample report: + +================================================================== +Bug: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:335 [inline] +Bug: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline] +Bug: KASAN: use-after-free in __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369 +Read of size 2 at addr ffff8880088807f0 by task syz-executor.2/857 + +Cpu: 0 PID: 857 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x6e/0x91 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:317 [inline] + print_report.cold+0x5e/0x5e5 mm/kasan/report.c:433 + kasan_report+0xa3/0x130 mm/kasan/report.c:495 + kernfs_type include/linux/kernfs.h:335 [inline] + kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline] + __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369 + __kernfs_remove fs/kernfs/dir.c:1356 [inline] + kernfs_remove_by_name_ns+0x108/0x190 fs/kernfs/dir.c:1589 + sysfs_slab_add+0x133/0x1e0 mm/slub.c:5943 + __kmem_cache_create+0x3e0/0x550 mm/slub.c:4899 + create_cache mm/slab_common.c:229 [inline] + kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335 + p9_client_create+0xd4d/0x1190 net/9p/client.c:993 + v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408 + v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126 + legacy_get_tree+0xf1/0x200 fs/fs_context.c:610 + vfs_get_tree+0x85/0x2e0 fs/super.c:1530 + do_new_mount fs/namespace.c:3040 [inline] + path_mount+0x675/0x1d00 fs/namespace.c:3370 + do_mount fs/namespace.c:3383 [inline] + __do_sys_mount fs/namespace.c:3591 [inline] + __se_sys_mount fs/namespace.c:3568 [inline] + __x64_sys_mount+0x282/0x300 fs/namespace.c:3568 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Rip: 0033:0x7f725f983aed +Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +Rsp: 002b:00007f725f0f7028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 +Rax: ffffffffffffffda RBX: 00007f725faa3f80 RCX: 00007f725f983aed +Rdx: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000 +Rbp: 00007f725f9f419c R08: 0000000020000280 R09: 0000000000000000 +R10: 0000000000000408 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000006 R14: 00007f725faa3f80 R15: 00007f725f0d7000 + +Allocated by task 855: + kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 + kasan_set_track mm/kasan/common.c:45 [inline] + set_alloc_info mm/kasan/common.c:437 [inline] + __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:470 + kasan_slab_alloc include/linux/kasan.h:224 [inline] + slab_post_alloc_hook mm/slab.h:727 [inline] + slab_alloc_node mm/slub.c:3243 [inline] + slab_alloc mm/slub.c:3251 [inline] + __kmem_cache_alloc_lru mm/slub.c:3258 [inline] + kmem_cache_alloc+0xbf/0x200 mm/slub.c:3268 + kmem_cache_zalloc include/linux/slab.h:723 [inline] + __kernfs_new_node+0xd4/0x680 fs/kernfs/dir.c:593 + kernfs_new_node fs/kernfs/dir.c:655 [inline] + kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:1010 + sysfs_create_dir_ns+0x127/0x290 fs/sysfs/dir.c:59 + create_dir lib/kobject.c:63 [inline] + kobject_add_internal+0x24a/0x8d0 lib/kobject.c:223 + kobject_add_varg lib/kobject.c:358 [inline] + kobject_init_and_add+0x101/0x160 lib/kobject.c:441 + sysfs_slab_add+0x156/0x1e0 mm/slub.c:5954 + __kmem_cache_create+0x3e0/0x550 mm/slub.c:4899 + create_cache mm/slab_common.c:229 [inline] + kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335 + p9_client_create+0xd4d/0x1190 net/9p/client.c:993 + v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408 + v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126 + legacy_get_tree+0xf1/0x200 fs/fs_context.c:610 + vfs_get_tree+0x85/0x2e0 fs/super.c:1530 + do_new_mount fs/namespace.c:3040 [inline] + path_mount+0x675/0x1d00 fs/namespace.c:3370 + do_mount fs/namespace.c:3383 [inline] + __do_sys_mount fs/namespace.c:3591 [inline] + __se_sys_mount fs/namespace.c:3568 [inline] + __x64_sys_mount+0x282/0x300 fs/namespace.c:3568 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 857: + kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 + kasan_set_track+0x21/0x30 mm/kasan/common.c:45 + kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:370 + ____kasan_slab_free mm/kasan/common.c:367 [inline] + ____kasan_slab_free mm/kasan/common.c:329 [inline] + __kasan_slab_free+0x108/0x190 mm/kasan/common.c:375 + kasan_slab_free include/linux/kasan.h:200 [inline] + slab_free_hook mm/slub.c:1754 [inline] + slab_free_freelist_hook mm/slub.c:1780 [inline] + slab_free mm/slub.c:3534 [inline] + kmem_cache_free+0x9c/0x340 mm/slub.c:3551 + kernfs_put.part.0+0x2b2/0x520 fs/kernfs/dir.c:547 + kernfs_put+0x42/0x50 fs/kernfs/dir.c:521 + __kernfs_remove.part.0+0x72d/0x960 fs/kernfs/dir.c:1407 + __kernfs_remove fs/kernfs/dir.c:1356 [inline] + kernfs_remove_by_name_ns+0x108/0x190 fs/kernfs/dir.c:1589 + sysfs_slab_add+0x133/0x1e0 mm/slub.c:5943 + __kmem_cache_create+0x3e0/0x550 mm/slub.c:4899 + create_cache mm/slab_common.c:229 [inline] + kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335 + p9_client_create+0xd4d/0x1190 net/9p/client.c:993 + v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408 + v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126 + legacy_get_tree+0xf1/0x200 fs/fs_context.c:610 + vfs_get_tree+0x85/0x2e0 fs/super.c:1530 + do_new_mount fs/namespace.c:3040 [inline] + path_mount+0x675/0x1d00 fs/namespace.c:3370 + do_mount fs/namespace.c:3383 [inline] + __do_sys_mount fs/namespace.c:3591 [inline] + __se_sys_mount fs/namespace.c:3568 [inline] + __x64_sys_mount+0x282/0x300 fs/namespace.c:3568 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The buggy address belongs to the object at ffff888008880780 + which belongs to the cache kernfs_node_cache of size 128 +The buggy address is located 112 bytes inside of + 128-byte region [ffff888008880780, ffff888008880800) + +The buggy address belongs to the physical page: +page:00000000732833f8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8880 +Flags: 0x100000000000200(slab|node=0|zone=1) +Raw: 0100000000000200 0000000000000000 dead000000000122 ffff888001147280 +Raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888008880680: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb + ffff888008880700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +>ffff888008880780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888008880800: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888008880880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +================================================================== + +Acked-by: Tejun Heo +Cc: stable # -rc3 +Signed-off-by: Christian A. Ehrhardt +Link: https://lore.kernel.org/r/20220913121723.691454-1-lk@c--e.de +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + fs/kernfs/dir.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/kernfs/dir.c ++++ b/fs/kernfs/dir.c +@@ -1513,8 +1513,11 @@ int kernfs_remove_by_name_ns(struct kern + mutex_lock(&kernfs_mutex); + + kn = kernfs_find_ns(parent, name, ns); +- if (kn) ++ if (kn) { ++ kernfs_get(kn); + __kernfs_remove(kn); ++ kernfs_put(kn); ++ } + + mutex_unlock(&kernfs_mutex); + diff --git a/patches.suse/mISDN-fix-possible-memory-leak-in-mISDN_register_dev.patch b/patches.suse/mISDN-fix-possible-memory-leak-in-mISDN_register_dev.patch new file mode 100644 index 0000000..e64c250 --- /dev/null +++ b/patches.suse/mISDN-fix-possible-memory-leak-in-mISDN_register_dev.patch @@ -0,0 +1,56 @@ +From e7d1d4d9ac0dfa40be4c2c8abd0731659869b297 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Mon, 31 Oct 2022 20:13:40 +0800 +Subject: [PATCH] mISDN: fix possible memory leak in mISDN_register_device() +Git-commit: e7d1d4d9ac0dfa40be4c2c8abd0731659869b297 +Patch-mainline: v6.1-rc4 +References: git-fixes + +Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's +bus_id string array"), the name of device is allocated dynamically, +add put_device() to give up the reference, so that the name can be +freed in kobject_cleanup() when the refcount is 0. + +Set device class before put_device() to avoid null release() function +WARN message in device_release(). + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/isdn/mISDN/core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/isdn/mISDN/core.c b/drivers/isdn/mISDN/core.c +index a41b4b264594..7ea0100f218a 100644 +--- a/drivers/isdn/mISDN/core.c ++++ b/drivers/isdn/mISDN/core.c +@@ -233,11 +233,12 @@ mISDN_register_device(struct mISDNdevice *dev, + if (debug & DEBUG_CORE) + printk(KERN_DEBUG "mISDN_register %s %d\n", + dev_name(&dev->dev), dev->id); ++ dev->dev.class = &mISDN_class; ++ + err = create_stack(dev); + if (err) + goto error1; + +- dev->dev.class = &mISDN_class; + dev->dev.platform_data = dev; + dev->dev.parent = parent; + dev_set_drvdata(&dev->dev, dev); +@@ -249,8 +250,8 @@ mISDN_register_device(struct mISDNdevice *dev, + + error3: + delete_stack(dev); +- return err; + error1: ++ put_device(&dev->dev); + return err; + + } +-- +2.35.3 + diff --git a/patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch b/patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch index 1b7ed06..a5727ef 100644 --- a/patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch +++ b/patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch @@ -1,7 +1,8 @@ From: David Leadbeater Date: Fri, 26 Aug 2022 14:56:57 +1000 Subject: netfilter: nf_conntrack_irc: Tighten matching on DCC message -Patch-mainline: Submitted - 2022-08-26 - 20220826045658.100360-1-dgl@dgl.cx +Git-commit: e8d5dfd1d8747b56077d02664a8838c71ced948e +Patch-mainline: v6.0-rc7 References: CVE-2022-2663 bsc#1202097 CTCP messages should only be at the start of an IRC message, not diff --git a/patches.suse/nfc-fdp-Fix-potential-memory-leak-in-fdp_nci_send.patch b/patches.suse/nfc-fdp-Fix-potential-memory-leak-in-fdp_nci_send.patch new file mode 100644 index 0000000..e4888e0 --- /dev/null +++ b/patches.suse/nfc-fdp-Fix-potential-memory-leak-in-fdp_nci_send.patch @@ -0,0 +1,50 @@ +From 8e4aae6b8ca76afb1fb64dcb24be44ba814e7f8a Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Thu, 27 Oct 2022 22:03:29 +0800 +Subject: [PATCH] nfc: fdp: Fix potential memory leak in fdp_nci_send() +Git-commit: 8e4aae6b8ca76afb1fb64dcb24be44ba814e7f8a +Patch-mainline: v6.1-rc4 +References: git-fixes + +fdp_nci_send() will call fdp_nci_i2c_write that will not free skb in +the function. As a result, when fdp_nci_i2c_write() finished, the skb +will memleak. fdp_nci_send() should free skb after fdp_nci_i2c_write() +finished. + +Fixes: a06347c04c13 ("NFC: Add Intel Fields Peak NFC solution driver") +Signed-off-by: Shang XiaoJing +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/nfc/fdp/fdp.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/nfc/fdp/fdp.c b/drivers/nfc/fdp/fdp.c +index c6b3334f24c9..f12f903a9dd1 100644 +--- a/drivers/nfc/fdp/fdp.c ++++ b/drivers/nfc/fdp/fdp.c +@@ -249,11 +249,19 @@ static int fdp_nci_close(struct nci_dev *ndev) + static int fdp_nci_send(struct nci_dev *ndev, struct sk_buff *skb) + { + struct fdp_nci_info *info = nci_get_drvdata(ndev); ++ int ret; + + if (atomic_dec_and_test(&info->data_pkt_counter)) + info->data_pkt_counter_cb(ndev); + +- return info->phy_ops->write(info->phy, skb); ++ ret = info->phy_ops->write(info->phy, skb); ++ if (ret < 0) { ++ kfree_skb(skb); ++ return ret; ++ } ++ ++ consume_skb(skb); ++ return 0; + } + + static int fdp_nci_request_firmware(struct nci_dev *ndev) +-- +2.35.3 + diff --git a/patches.suse/nfc-nfcmrvl-Fix-potential-memory-leak-in-nfcmrvl_i2c.patch b/patches.suse/nfc-nfcmrvl-Fix-potential-memory-leak-in-nfcmrvl_i2c.patch new file mode 100644 index 0000000..b38590c --- /dev/null +++ b/patches.suse/nfc-nfcmrvl-Fix-potential-memory-leak-in-nfcmrvl_i2c.patch @@ -0,0 +1,47 @@ +From 93d904a734a74c54d945a9884b4962977f1176cd Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Thu, 27 Oct 2022 22:03:32 +0800 +Subject: [PATCH] nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send() +Git-commit: 93d904a734a74c54d945a9884b4962977f1176cd +Patch-mainline: v6.1-rc4 +References: git-fixes + +nfcmrvl_i2c_nci_send() will be called by nfcmrvl_nci_send(), and skb +should be freed in nfcmrvl_i2c_nci_send(). However, nfcmrvl_nci_send() +will only free skb when i2c_master_send() return >=0, which means skb +will memleak when i2c_master_send() failed. Free skb no matter whether +i2c_master_send() succeeds. + +Fixes: b5b3e23e4cac ("NFC: nfcmrvl: add i2c driver") +Signed-off-by: Shang XiaoJing +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/nfc/nfcmrvl/i2c.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/nfc/nfcmrvl/i2c.c b/drivers/nfc/nfcmrvl/i2c.c +index acef0cfd76af..24436c9e54c9 100644 +--- a/drivers/nfc/nfcmrvl/i2c.c ++++ b/drivers/nfc/nfcmrvl/i2c.c +@@ -132,10 +132,15 @@ static int nfcmrvl_i2c_nci_send(struct nfcmrvl_private *priv, + ret = -EREMOTEIO; + } else + ret = 0; ++ } ++ ++ if (ret) { + kfree_skb(skb); ++ return ret; + } + +- return ret; ++ consume_skb(skb); ++ return 0; + } + + static void nfcmrvl_i2c_nci_update_config(struct nfcmrvl_private *priv, +-- +2.35.3 + diff --git a/patches.suse/nfc-nxp-nci-Fix-potential-memory-leak-in-nxp_nci_sen.patch b/patches.suse/nfc-nxp-nci-Fix-potential-memory-leak-in-nxp_nci_sen.patch new file mode 100644 index 0000000..1611ef0 --- /dev/null +++ b/patches.suse/nfc-nxp-nci-Fix-potential-memory-leak-in-nxp_nci_sen.patch @@ -0,0 +1,41 @@ +From 7bf1ed6aff0f70434bd0cdd45495e83f1dffb551 Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Thu, 27 Oct 2022 22:03:30 +0800 +Subject: [PATCH] nfc: nxp-nci: Fix potential memory leak in nxp_nci_send() +Git-commit: 7bf1ed6aff0f70434bd0cdd45495e83f1dffb551 +Patch-mainline: v6.1-rc4 +References: git-fixes + +nxp_nci_send() will call nxp_nci_i2c_write(), and only free skb when +nxp_nci_i2c_write() failed. However, even if the nxp_nci_i2c_write() +run succeeds, the skb will not be freed in nxp_nci_i2c_write(). As the +result, the skb will memleak. nxp_nci_send() should also free the skb +when nxp_nci_i2c_write() succeeds. + +Fixes: dece45855a8b ("NFC: nxp-nci: Add support for NXP NCI chips") +Signed-off-by: Shang XiaoJing +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/nfc/nxp-nci/core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/nfc/nxp-nci/core.c ++++ b/drivers/nfc/nxp-nci/core.c +@@ -77,10 +77,13 @@ static int nxp_nci_send(struct nci_dev * + return -EINVAL; + + r = info->phy_ops->write(info->phy_id, skb); +- if (r < 0) ++ if (r < 0) { + kfree_skb(skb); ++ return r; ++ } + +- return r; ++ consume_skb(skb); ++ return 0; + } + + static struct nci_ops nxp_nci_ops = { diff --git a/patches.suse/nfc-s3fwrn5-Fix-potential-memory-leak-in-s3fwrn5_nci.patch b/patches.suse/nfc-s3fwrn5-Fix-potential-memory-leak-in-s3fwrn5_nci.patch new file mode 100644 index 0000000..21b5378 --- /dev/null +++ b/patches.suse/nfc-s3fwrn5-Fix-potential-memory-leak-in-s3fwrn5_nci.patch @@ -0,0 +1,48 @@ +From 3a146b7e3099dc7cf3114f627d9b79291e2d2203 Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Thu, 27 Oct 2022 22:03:31 +0800 +Subject: [PATCH] nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send() +Git-commit: 3a146b7e3099dc7cf3114f627d9b79291e2d2203 +Patch-mainline: v6.1-rc4 +References: git-fixes + +s3fwrn5_nci_send() will call s3fwrn5_i2c_write() or s3fwrn82_uart_write(), +and free the skb if write() failed. However, even if the write() run +succeeds, the skb will not be freed in write(). As the result, the skb +will memleak. s3fwrn5_nci_send() should also free the skb when write() +succeeds. + +Fixes: c04c674fadeb ("nfc: s3fwrn5: Add driver for Samsung S3FWRN5 NFC Chip") +Signed-off-by: Shang XiaoJing +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/nfc/s3fwrn5/core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/s3fwrn5/core.c b/drivers/nfc/s3fwrn5/core.c +index 1c412007fabb..0270e05b68df 100644 +--- a/drivers/nfc/s3fwrn5/core.c ++++ b/drivers/nfc/s3fwrn5/core.c +@@ -110,11 +110,15 @@ static int s3fwrn5_nci_send(struct nci_dev *ndev, struct sk_buff *skb) + } + + ret = s3fwrn5_write(info, skb); +- if (ret < 0) ++ if (ret < 0) { + kfree_skb(skb); ++ mutex_unlock(&info->mutex); ++ return ret; ++ } + ++ consume_skb(skb); + mutex_unlock(&info->mutex); +- return ret; ++ return 0; + } + + static int s3fwrn5_nci_post_setup(struct nci_dev *ndev) +-- +2.35.3 + diff --git a/patches.suse/nvme-consider-also-host_iface-when-checking-ip-options.patch b/patches.suse/nvme-consider-also-host_iface-when-checking-ip-options.patch index c33d7b2..2f4de83 100644 --- a/patches.suse/nvme-consider-also-host_iface-when-checking-ip-options.patch +++ b/patches.suse/nvme-consider-also-host_iface-when-checking-ip-options.patch @@ -1,7 +1,8 @@ From: Daniel Wagner Date: Fri, 22 Jul 2022 12:03:35 +0200 Subject: [PATCH] nvme: consider also host_iface when checking ip options -Patch-mainline: Submitted, https://lore.kernel.org/linux-nvme/20220729142630.13504-1-dwagner@suse.de/ +Git-commit: 4cde03d82e2d0056d20fd5af6a264c7f5e6a3e76 +Patch-mainline: v6.1-rc1 References: bsc#1199670 It's perfectly fine to use the same traddr and trsvcid more than once diff --git a/patches.suse/nvme-rdma-handle-number-of-queue-changes.patch b/patches.suse/nvme-rdma-handle-number-of-queue-changes.patch index aaebed8..88d02b9 100644 --- a/patches.suse/nvme-rdma-handle-number-of-queue-changes.patch +++ b/patches.suse/nvme-rdma-handle-number-of-queue-changes.patch @@ -1,9 +1,8 @@ From: Daniel Wagner Date: Mon, 29 Aug 2022 11:28:41 +0200 Subject: nvme-rdma: Handle number of queue changes -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.infradead.org/nvme.git -Git-commit: e800278c1dc97518eab1970f8f58a5aad52b0f86 +Patch-mainline: v6.1-rc1 +Git-commit: 1c467e259599864ec925d5b85066a0960320fb3c References: bsc#1201865 On reconnect, the number of queues might have changed. diff --git a/patches.suse/nvme-tcp-handle-number-of-queue-changes.patch b/patches.suse/nvme-tcp-handle-number-of-queue-changes.patch index e2cc886..e772c1a 100644 --- a/patches.suse/nvme-tcp-handle-number-of-queue-changes.patch +++ b/patches.suse/nvme-tcp-handle-number-of-queue-changes.patch @@ -1,9 +1,8 @@ From: Daniel Wagner Date: Mon, 29 Aug 2022 11:28:40 +0200 Subject: nvme-tcp: Handle number of queue changes -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.infradead.org/nvme.git -Git-commit: 516204e486a19d03962c2757ef49782e6c1cacf4 +Patch-mainline: v6.1-rc1 +Git-commit: 09035f86496d8dea7a05a07f6dcb8083c0a3d885 References: bsc#1201865 On reconnect, the number of queues might have changed. diff --git a/patches.suse/nvmet-expose-max-queues-to-configfs.patch b/patches.suse/nvmet-expose-max-queues-to-configfs.patch index cd5d361..af338dd 100644 --- a/patches.suse/nvmet-expose-max-queues-to-configfs.patch +++ b/patches.suse/nvmet-expose-max-queues-to-configfs.patch @@ -1,9 +1,8 @@ From: Daniel Wagner Date: Mon, 29 Aug 2022 11:28:39 +0200 Subject: nvmet: Expose max queues to configfs -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.infradead.org/nvme.git -Git-commit: 2c4282742d049e2a5ab874e2b359a2421b9377c2 +Patch-mainline: v6.1-rc1 +Git-commit: 3e980f5995e0bb4d86fef873a9c9ad66721580d0 References: bsc#1201865 Allow to set the max queues the target supports. This is useful for diff --git a/patches.suse/rose-Fix-NULL-pointer-dereference-in-rose_send_frame.patch b/patches.suse/rose-Fix-NULL-pointer-dereference-in-rose_send_frame.patch new file mode 100644 index 0000000..8c53fb7 --- /dev/null +++ b/patches.suse/rose-Fix-NULL-pointer-dereference-in-rose_send_frame.patch @@ -0,0 +1,76 @@ +From e97c089d7a49f67027395ddf70bf327eeac2611e Mon Sep 17 00:00:00 2001 +From: Zhang Qilong +Date: Sat, 29 Oct 2022 00:10:49 +0800 +Subject: [PATCH] rose: Fix NULL pointer dereference in rose_send_frame() +Git-commit: e97c089d7a49f67027395ddf70bf327eeac2611e +Patch-mainline: v6.1-rc4 +References: git-fixes + +The syzkaller reported an issue: + +Kasan: null-ptr-deref in range [0x0000000000000380-0x0000000000000387] +Cpu: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 +Workqueue: rcu_gp srcu_invoke_callbacks +Rip: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101 +Call Trace: + + rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255 + rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009 + rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111 + call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474 + expire_timers kernel/time/timer.c:1519 [inline] + __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790 + __run_timers kernel/time/timer.c:1768 [inline] + run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803 + __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571 + [...] + + +It triggers NULL pointer dereference when 'neigh->dev->dev_addr' is +called in the rose_send_frame(). It's the first occurrence of the +`neigh` is in rose_loopback_timer() as `rose_loopback_neigh', and +the 'dev' in 'rose_loopback_neigh' is initialized sa nullptr. + +It had been fixed by commit 3b3fd068c56e3fbea30090859216a368398e39bf +("rose: Fix Null pointer dereference in rose_send_frame()") ever. +But it's introduced by commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8 +("rose: check NULL rose_loopback_neigh->loopback") again. + +We fix it by add NULL check in rose_transmit_clear_request(). When +the 'dev' in 'neigh' is NULL, we don't reply the request and just +clear it. + +syzkaller don't provide repro, and I provide a syz repro like: +r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) +ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000180)={'rose0\x00', 0x201}) +r1 = syz_init_net_socket$rose(0xb, 0x5, 0x0) +bind$rose(r1, &(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40) +connect$rose(r1, &(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c) + +Fixes: 3c53cd65dece ("rose: check NULL rose_loopback_neigh->loopback") +Signed-off-by: Zhang Qilong +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + net/rose/rose_link.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/rose/rose_link.c b/net/rose/rose_link.c +index 8b96a56d3a49..0f77ae8ef944 100644 +--- a/net/rose/rose_link.c ++++ b/net/rose/rose_link.c +@@ -236,6 +236,9 @@ void rose_transmit_clear_request(struct rose_neigh *neigh, unsigned int lci, uns + unsigned char *dptr; + int len; + ++ if (!neigh->dev) ++ return; ++ + len = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN + 3; + + if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL) +-- +2.35.3 + diff --git a/patches.suse/selftests-pidfd_test-Remove-the-erroneous.patch b/patches.suse/selftests-pidfd_test-Remove-the-erroneous.patch new file mode 100644 index 0000000..1f3deb7 --- /dev/null +++ b/patches.suse/selftests-pidfd_test-Remove-the-erroneous.patch @@ -0,0 +1,40 @@ +From 89c1017aac67ca81973b7c8eac5d021315811a93 Mon Sep 17 00:00:00 2001 +From: Zhao Gongyi +Date: Tue, 1 Nov 2022 11:56:02 +0800 +Subject: [PATCH] selftests/pidfd_test: Remove the erroneous ',' +Git-commit: 89c1017aac67ca81973b7c8eac5d021315811a93 +Patch-mainline: v6.1-rc4 +References: git-fixes + +Remove the erroneous ',', otherwise it might result in wrong output +and report: + ... + Bail out! (errno %d) + test: Unexpected epoll_wait result (c=4208480, events=2) + ... + +Fixes: 740378dc7834 ("pidfd: add polling selftests") +Signed-off-by: Zhao Gongyi +Signed-off-by: Shuah Khan +Acked-by: Takashi Iwai + +--- + tools/testing/selftests/pidfd/pidfd_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/pidfd/pidfd_test.c b/tools/testing/selftests/pidfd/pidfd_test.c +index d36654265b7a..e2dd4ed84984 100644 +--- a/tools/testing/selftests/pidfd/pidfd_test.c ++++ b/tools/testing/selftests/pidfd/pidfd_test.c +@@ -413,7 +413,7 @@ static void poll_pidfd(const char *test_name, int pidfd) + + c = epoll_wait(epoll_fd, events, MAX_EVENTS, 5000); + if (c != 1 || !(events[0].events & EPOLLIN)) +- ksft_exit_fail_msg("%s test: Unexpected epoll_wait result (c=%d, events=%x) ", ++ ksft_exit_fail_msg("%s test: Unexpected epoll_wait result (c=%d, events=%x) " + "(errno %d)\n", + test_name, c, events[0].events, errno); + +-- +2.35.3 + diff --git a/patches.suse/serial-core-move-RS485-configuration-tasks-from-driv.patch b/patches.suse/serial-core-move-RS485-configuration-tasks-from-driv.patch new file mode 100644 index 0000000..77ac6d0 --- /dev/null +++ b/patches.suse/serial-core-move-RS485-configuration-tasks-from-driv.patch @@ -0,0 +1,89 @@ +From 0ed12afa5655512ee418047fb3546d229df20aa1 Mon Sep 17 00:00:00 2001 +From: Lino Sanfilippo +Date: Sun, 10 Apr 2022 12:46:34 +0200 +Subject: [PATCH] serial: core: move RS485 configuration tasks from drivers into core +Git-commit: 0ed12afa5655512ee418047fb3546d229df20aa1 +Patch-mainline: v5.19-rc1 +References: git-fixes + +Several drivers that support setting the RS485 configuration via userspace +implement one or more of the following tasks: + +- in case of an invalid RTS configuration (both RTS after send and RTS on + send set or both unset) fall back to enable RTS on send and disable RTS + after send + +- nullify the padding field of the returned serial_rs485 struct + +- copy the configuration into the uart port struct + +- limit RTS delays to 100 ms + +Move these tasks into the serial core to make them generic and to provide +a consistent behaviour among all drivers. + +Signed-off-by: Lino Sanfilippo +Link: https://lore.kernel.org/r/20220410104642.32195-2-LinoSanfilippo@gmx.de +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/serial/serial_core.c | 33 ++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index 6a8963caf954..108b389e6e12 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -42,6 +42,11 @@ static struct lock_class_key port_lock_key; + + #define HIGH_BITS_OFFSET ((sizeof(long)-sizeof(int))*8) + ++/* ++ * Max time with active RTS before/after data is sent. ++ */ ++#define RS485_MAX_RTS_DELAY 100 /* msecs */ ++ + static void uart_change_speed(struct tty_struct *tty, struct uart_state *state, + struct ktermios *old_termios); + static void uart_wait_until_sent(struct tty_struct *tty, int timeout); +@@ -1296,8 +1301,36 @@ static int uart_set_rs485_config(struct uart_port *port, + if (copy_from_user(&rs485, rs485_user, sizeof(*rs485_user))) + return -EFAULT; + ++ /* pick sane settings if the user hasn't */ ++ if (!(rs485.flags & SER_RS485_RTS_ON_SEND) == ++ !(rs485.flags & SER_RS485_RTS_AFTER_SEND)) { ++ dev_warn_ratelimited(port->dev, ++ "%s (%d): invalid RTS setting, using RTS_ON_SEND instead\n", ++ port->name, port->line); ++ rs485.flags |= SER_RS485_RTS_ON_SEND; ++ rs485.flags &= ~SER_RS485_RTS_AFTER_SEND; ++ } ++ ++ if (rs485.delay_rts_before_send > RS485_MAX_RTS_DELAY) { ++ rs485.delay_rts_before_send = RS485_MAX_RTS_DELAY; ++ dev_warn_ratelimited(port->dev, ++ "%s (%d): RTS delay before sending clamped to %u ms\n", ++ port->name, port->line, rs485.delay_rts_before_send); ++ } ++ ++ if (rs485.delay_rts_after_send > RS485_MAX_RTS_DELAY) { ++ rs485.delay_rts_after_send = RS485_MAX_RTS_DELAY; ++ dev_warn_ratelimited(port->dev, ++ "%s (%d): RTS delay after sending clamped to %u ms\n", ++ port->name, port->line, rs485.delay_rts_after_send); ++ } ++ /* Return clean padding area to userspace */ ++ memset(rs485.padding, 0, sizeof(rs485.padding)); ++ + spin_lock_irqsave(&port->lock, flags); + ret = port->rs485_config(port, &rs485); ++ if (!ret) ++ port->rs485 = rs485; + spin_unlock_irqrestore(&port->lock, flags); + if (ret) + return ret; +-- +2.35.3 + diff --git a/patches.suse/thermal-int340x_thermal-handle-data_vault-when-the-v.patch b/patches.suse/thermal-int340x_thermal-handle-data_vault-when-the-v.patch index a3fbae6..5db9d8b 100644 --- a/patches.suse/thermal-int340x_thermal-handle-data_vault-when-the-v.patch +++ b/patches.suse/thermal-int340x_thermal-handle-data_vault-when-the-v.patch @@ -3,7 +3,8 @@ From: "Lee, Chun-Yi" Date: Mon, 8 Aug 2022 20:54:00 +0800 Subject: [PATCH] thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR -Patch-mainline: Submitted, linux-pm ML +Patch-mainline: v6.0-rc3 +Git-commit: 7931e28098a4c1a2a6802510b0cbe57546d2049d References: bsc#1201308 In some case, the GDDV returns a package with a buffer which has diff --git a/patches.suse/usb-xhci-add-XHCI_SPURIOUS_SUCCESS-to-ASM1042-despit.patch b/patches.suse/usb-xhci-add-XHCI_SPURIOUS_SUCCESS-to-ASM1042-despit.patch new file mode 100644 index 0000000..5a8461a --- /dev/null +++ b/patches.suse/usb-xhci-add-XHCI_SPURIOUS_SUCCESS-to-ASM1042-despit.patch @@ -0,0 +1,51 @@ +From 4f547472380136718b56064ea5689a61e135f904 Mon Sep 17 00:00:00 2001 +From: Jens Glathe +Date: Mon, 24 Oct 2022 17:27:17 +0300 +Subject: [PATCH] usb: xhci: add XHCI_SPURIOUS_SUCCESS to ASM1042 despite being a V0.96 controller +Git-commit: 4f547472380136718b56064ea5689a61e135f904 +Patch-mainline: v6.1-rc3 +References: git-fixes + +This appears to fix the error: +"xhci_hcd
; ERROR Transfer event TRB DMA ptr not part of +current TD ep_index 2 comp_code 13" that appear spuriously (or pretty +often) when using a r8152 USB3 ethernet adapter with integrated hub. + +ASM1042 reports as a 0.96 controller, but appears to behave more like 1.0 + +Inspired by this email thread: https://markmail.org/thread/7vzqbe7t6du6qsw3 + +Cc: stable@vger.kernel.org +Signed-off-by: Jens Glathe +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20221024142720.4122053-2-mathias.nyman@intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-pci.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index 40228a3d77a0..6dd3102749b7 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -306,8 +306,14 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + } + + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && +- pdev->device == PCI_DEVICE_ID_ASMEDIA_1042_XHCI) ++ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042_XHCI) { ++ /* ++ * try to tame the ASMedia 1042 controller which reports 0.96 ++ * but appears to behave more like 1.0 ++ */ ++ xhci->quirks |= XHCI_SPURIOUS_SUCCESS; + xhci->quirks |= XHCI_BROKEN_STREAMS; ++ } + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && + pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI) { + xhci->quirks |= XHCI_TRUST_TX_LENGTH; +-- +2.35.3 + diff --git a/patches.suse/vsock-fix-possible-infinite-sleep-in-vsock_connectib.patch b/patches.suse/vsock-fix-possible-infinite-sleep-in-vsock_connectib.patch new file mode 100644 index 0000000..969eaf2 --- /dev/null +++ b/patches.suse/vsock-fix-possible-infinite-sleep-in-vsock_connectib.patch @@ -0,0 +1,49 @@ +From 466a85336fee6e3b35eb97b8405a28302fd25809 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Mon, 31 Oct 2022 19:17:06 -0700 +Subject: [PATCH] vsock: fix possible infinite sleep in vsock_connectible_wait_data() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 466a85336fee6e3b35eb97b8405a28302fd25809 +Patch-mainline: v6.1-rc4 +References: git-fixes + +Currently vsock_connectible_has_data() may miss a wakeup operation +between vsock_connectible_has_data() == 0 and the prepare_to_wait(). + +Fix the race by adding the process to the wait queue before checking +vsock_connectible_has_data(). + +Fixes: b3f7fd54881b ("af_vsock: separate wait data loop") +Signed-off-by: Dexuan Cui +Reviewed-by: Stefano Garzarella +Reported-by: Frédéric Dalleau +Tested-by: Frédéric Dalleau +Signed-off-by: Paolo Abeni +Acked-by: Takashi Iwai + +--- + net/vmw_vsock/af_vsock.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index d258fd43092e..884eca7f6743 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1905,8 +1905,11 @@ static int vsock_connectible_wait_data(struct sock *sk, + err = 0; + transport = vsk->transport; + +- while ((data = vsock_connectible_has_data(vsk)) == 0) { ++ while (1) { + prepare_to_wait(sk_sleep(sk), wait, TASK_INTERRUPTIBLE); ++ data = vsock_connectible_has_data(vsk); ++ if (data != 0) ++ break; + + if (sk->sk_err != 0 || + (sk->sk_shutdown & RCV_SHUTDOWN) || +-- +2.35.3 + diff --git a/patches.suse/vsock-remove-the-unused-wait-in-vsock_connectible_re.patch b/patches.suse/vsock-remove-the-unused-wait-in-vsock_connectible_re.patch new file mode 100644 index 0000000..8102760 --- /dev/null +++ b/patches.suse/vsock-remove-the-unused-wait-in-vsock_connectible_re.patch @@ -0,0 +1,36 @@ +From cf6ff0df0fd123493e57278a1bd4414a97511a34 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Mon, 31 Oct 2022 19:17:05 -0700 +Subject: [PATCH] vsock: remove the unused 'wait' in vsock_connectible_recvmsg() +Git-commit: cf6ff0df0fd123493e57278a1bd4414a97511a34 +Patch-mainline: v6.1-rc4 +References: git-fixes + +Remove the unused variable introduced by 19c1b90e1979. + +Fixes: 19c1b90e1979 ("af_vsock: separate receive data loop") +Signed-off-by: Dexuan Cui +Reviewed-by: Stefano Garzarella +Signed-off-by: Paolo Abeni +Acked-by: Takashi Iwai + +--- + net/vmw_vsock/af_vsock.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index ee418701cdee..d258fd43092e 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -2092,8 +2092,6 @@ vsock_connectible_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + const struct vsock_transport *transport; + int err; + +- DEFINE_WAIT(wait); +- + sk = sock->sk; + vsk = vsock_sk(sk); + err = 0; +-- +2.35.3 + diff --git a/patches.suse/watchdog-wdat_wdt-fix-min-max-timer-value.patch b/patches.suse/watchdog-wdat_wdt-fix-min-max-timer-value.patch index daf5157..aab306a 100644 --- a/patches.suse/watchdog-wdat_wdt-fix-min-max-timer-value.patch +++ b/patches.suse/watchdog-wdat_wdt-fix-min-max-timer-value.patch @@ -1,7 +1,8 @@ From: Jean Delvare Subject: watchdog: wdat_wdt: Set the min and max timeout values properly References: bsc#1194023 -Patch-mainline: submitted, 2022-08-23 https://lore.kernel.org/linux-watchdog/20220823154713.023ee771@endymion.delvare/ +Git-commit: 926e099267950f3b4442eb48dffc5cc3a870ad34 +Patch-mainline: v6.1-rc1 The wdat_wdt driver is misusing the min_hw_heartbeat_ms field. This field should only be used when the hardware watchdog device should not diff --git a/patches.suse/x86-boot-Don-t-propagate-uninitialized-boot_params-c.patch b/patches.suse/x86-boot-Don-t-propagate-uninitialized-boot_params-c.patch new file mode 100644 index 0000000..6f4d325 --- /dev/null +++ b/patches.suse/x86-boot-Don-t-propagate-uninitialized-boot_params-c.patch @@ -0,0 +1,88 @@ +From 4b1c742407571eff58b6de9881889f7ca7c4b4dc Mon Sep 17 00:00:00 2001 +From: Michael Roth +Date: Tue, 23 Aug 2022 11:07:34 -0500 +Subject: [PATCH] x86/boot: Don't propagate uninitialized boot_params->cc_blob_address +Git-commit: 4b1c742407571eff58b6de9881889f7ca7c4b4dc +Patch-mainline: v6.0-rc3 +References: bsc#1204970 + +In some cases, bootloaders will leave boot_params->cc_blob_address +uninitialized rather than zeroing it out. This field is only meant to be +set by the boot/compressed kernel in order to pass information to the +uncompressed kernel when SEV-SNP support is enabled. + +Therefore, there are no cases where the bootloader-provided values +should be treated as anything other than garbage. Otherwise, the +uncompressed kernel may attempt to access this bogus address, leading to +a crash during early boot. + +Normally, sanitize_boot_params() would be used to clear out such fields +but that happens too late: sev_enable() may have already initialized +it to a valid value that should not be zeroed out. Instead, have +sev_enable() zero it out unconditionally beforehand. + +Also ensure this happens for !CONFIG_AMD_MEM_ENCRYPT as well by also +including this handling in the sev_enable() stub function. + + [ bp: Massage commit message and comments. ] + +Fixes: b190a043c49a ("x86/sev: Add SEV-SNP feature detection/setup") +Reported-by: Jeremi Piotrowski +Reported-by: watnuss@gmx.de +Signed-off-by: Michael Roth +Signed-off-by: Borislav Petkov +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216387 +Link: https://lore.kernel.org/r/20220823160734.89036-1-michael.roth@amd.com +Acked-by: Takashi Iwai + +--- + arch/x86/boot/compressed/misc.h | 12 +++++++++++- + arch/x86/boot/compressed/sev.c | 8 ++++++++ + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h +index 4910bf230d7b..62208ec04ca4 100644 +--- a/arch/x86/boot/compressed/misc.h ++++ b/arch/x86/boot/compressed/misc.h +@@ -132,7 +132,17 @@ void snp_set_page_private(unsigned long paddr); + void snp_set_page_shared(unsigned long paddr); + void sev_prep_identity_maps(unsigned long top_level_pgt); + #else +-static inline void sev_enable(struct boot_params *bp) { } ++static inline void sev_enable(struct boot_params *bp) ++{ ++ /* ++ * bp->cc_blob_address should only be set by boot/compressed kernel. ++ * Initialize it to 0 unconditionally (thus here in this stub too) to ++ * ensure that uninitialized values from buggy bootloaders aren't ++ * propagated. ++ */ ++ if (bp) ++ bp->cc_blob_address = 0; ++} + static inline void sev_es_shutdown_ghcb(void) { } + static inline bool sev_es_check_ghcb_fault(unsigned long address) + { +diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c +index 52f989f6acc2..c93930d5ccbd 100644 +--- a/arch/x86/boot/compressed/sev.c ++++ b/arch/x86/boot/compressed/sev.c +@@ -276,6 +276,14 @@ void sev_enable(struct boot_params *bp) + struct msr m; + bool snp; + ++ /* ++ * bp->cc_blob_address should only be set by boot/compressed kernel. ++ * Initialize it to 0 to ensure that uninitialized values from ++ * buggy bootloaders aren't propagated. ++ */ ++ if (bp) ++ bp->cc_blob_address = 0; ++ + /* + * Setup/preliminary detection of SNP. This will be sanity-checked + * against CPUID/MSR values later. +-- +2.35.3 + diff --git a/patches.suse/x86-boot-Fix-the-setup-data-types-max-limit.patch b/patches.suse/x86-boot-Fix-the-setup-data-types-max-limit.patch new file mode 100644 index 0000000..29bf384 --- /dev/null +++ b/patches.suse/x86-boot-Fix-the-setup-data-types-max-limit.patch @@ -0,0 +1,38 @@ +From cb8a4beac39b90cd60abbf9fd639a3357274e469 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Sun, 10 Jul 2022 11:15:47 +0200 +Subject: [PATCH] x86/boot: Fix the setup data types max limit +Git-commit: cb8a4beac39b90cd60abbf9fd639a3357274e469 +Patch-mainline: v5.19-rc6 +References: bsc#1204970 + +Commit in Fixes forgot to change the SETUP_TYPE_MAX definition which +contains the highest valid setup data type. + +Correct that. + +Fixes: 5ea98e01ab52 ("x86/boot: Add Confidential Computing type to setup_data") +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/ddba81dd-cc92-699c-5274-785396a17fb5@zytor.com +Acked-by: Takashi Iwai + +--- + arch/x86/include/uapi/asm/bootparam.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h +index bea5cdcdf532..e02a8a8ef23c 100644 +--- a/arch/x86/include/uapi/asm/bootparam.h ++++ b/arch/x86/include/uapi/asm/bootparam.h +@@ -15,7 +15,7 @@ + #define SETUP_INDIRECT (1<<31) + + /* SETUP_INDIRECT | max(SETUP_*) */ +-#define SETUP_TYPE_MAX (SETUP_INDIRECT | SETUP_JAILHOUSE) ++#define SETUP_TYPE_MAX (SETUP_INDIRECT | SETUP_CC_BLOB) + + /* ram_size flags */ + #define RAMDISK_IMAGE_START_MASK 0x07FF +-- +2.35.3 + diff --git a/patches.suse/x86-compressed-64-Add-identity-mappings-for-setup_da.patch b/patches.suse/x86-compressed-64-Add-identity-mappings-for-setup_da.patch new file mode 100644 index 0000000..ce78664 --- /dev/null +++ b/patches.suse/x86-compressed-64-Add-identity-mappings-for-setup_da.patch @@ -0,0 +1,67 @@ +From b57feed2cc2622ae14b2fa62f19e973e5e0a60cf Mon Sep 17 00:00:00 2001 +From: Michael Roth +Date: Tue, 5 Jul 2022 21:53:15 -0500 +Subject: [PATCH] x86/compressed/64: Add identity mappings for setup_data entries +Git-commit: b57feed2cc2622ae14b2fa62f19e973e5e0a60cf +Patch-mainline: v5.19-rc6 +References: bsc#1204970 + +The decompressed kernel initially relies on the identity map set up by +the boot/compressed kernel for accessing things like boot_params. With +the recent introduction of SEV-SNP support, the decompressed kernel +also needs to access the setup_data entries pointed to by +boot_params->hdr.setup_data. + +This can lead to a crash in the kexec kernel during early boot due to +these entries not currently being included in the initial identity map, +see thread at Link below. + +Include mappings for the setup_data entries in the initial identity map. + + [ bp: Massage commit message and use a helper var for better readability. ] + +Fixes: b190a043c49a ("x86/sev: Add SEV-SNP feature detection/setup") +Reported-by: Jun'ichi Nomura +Signed-off-by: Michael Roth +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/TYCPR01MB694815CD815E98945F63C99183B49@TYCPR01MB6948.jpnprd01.prod.outlook.com +Acked-by: Takashi Iwai + +--- + arch/x86/boot/compressed/ident_map_64.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/arch/x86/boot/compressed/ident_map_64.c b/arch/x86/boot/compressed/ident_map_64.c +index 44c350d627c7..d4a314cc50d6 100644 +--- a/arch/x86/boot/compressed/ident_map_64.c ++++ b/arch/x86/boot/compressed/ident_map_64.c +@@ -110,6 +110,7 @@ void kernel_add_identity_map(unsigned long start, unsigned long end) + void initialize_identity_maps(void *rmode) + { + unsigned long cmdline; ++ struct setup_data *sd; + + /* Exclude the encryption mask from __PHYSICAL_MASK */ + physical_mask &= ~sme_me_mask; +@@ -163,6 +164,18 @@ void initialize_identity_maps(void *rmode) + cmdline = get_cmd_line_ptr(); + kernel_add_identity_map(cmdline, cmdline + COMMAND_LINE_SIZE); + ++ /* ++ * Also map the setup_data entries passed via boot_params in case they ++ * need to be accessed by uncompressed kernel via the identity mapping. ++ */ ++ sd = (struct setup_data *)boot_params->hdr.setup_data; ++ while (sd) { ++ unsigned long sd_addr = (unsigned long)sd; ++ ++ kernel_add_identity_map(sd_addr, sd_addr + sizeof(*sd) + sd->len); ++ sd = (struct setup_data *)sd->next; ++ } ++ + sev_prep_identity_maps(top_level_pgt); + + /* Load the new page-table. */ +-- +2.35.3 + diff --git a/patches.suse/x86-sev-Annotate-stack-change-in-the-VC-handler.patch b/patches.suse/x86-sev-Annotate-stack-change-in-the-VC-handler.patch new file mode 100644 index 0000000..5d8dd53 --- /dev/null +++ b/patches.suse/x86-sev-Annotate-stack-change-in-the-VC-handler.patch @@ -0,0 +1,85 @@ +From c42b145181aafd59ed31ccd879493389e3ea5a08 Mon Sep 17 00:00:00 2001 +From: Lai Jiangshan +Date: Wed, 16 Mar 2022 12:16:12 +0800 +Subject: [PATCH] x86/sev: Annotate stack change in the #VC handler +Git-commit: c42b145181aafd59ed31ccd879493389e3ea5a08 +Patch-mainline: v5.19-rc1 +References: bsc#1204970 + +In idtentry_vc(), vc_switch_off_ist() determines a safe stack to +switch to, off of the IST stack. Annotate the new stack switch with +ENCODE_FRAME_POINTER in case UNWINDER_FRAME_POINTER is used. + +A stack walk before looks like this: + + CPU: 0 PID: 0 Comm: swapper Not tainted 5.18.0-rc7+ #2 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + Call Trace: + + dump_stack_lvl + dump_stack + kernel_exc_vmm_communication + asm_exc_vmm_communication + ? native_read_msr + ? __x2apic_disable.part.0 + ? x2apic_setup + ? cpu_init + ? trap_init + ? start_kernel + ? x86_64_start_reservations + ? x86_64_start_kernel + ? secondary_startup_64_no_verify + + +and with the fix, the stack dump is exact: + + CPU: 0 PID: 0 Comm: swapper Not tainted 5.18.0-rc7+ #3 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + Call Trace: + + dump_stack_lvl + dump_stack + kernel_exc_vmm_communication + asm_exc_vmm_communication + RIP: 0010:native_read_msr + Code: ... + < snipped regs > + ? __x2apic_disable.part.0 + x2apic_setup + cpu_init + trap_init + start_kernel + x86_64_start_reservations + x86_64_start_kernel + secondary_startup_64_no_verify + + + [ bp: Test in a SEV-ES guest and rewrite the commit message to + explain what exactly this does. ] + +Fixes: a13644f3a53d ("x86/entry/64: Add entry code for #VC handler") +Signed-off-by: Lai Jiangshan +Signed-off-by: Borislav Petkov +Acked-by: Josh Poimboeuf +Link: https://lore.kernel.org/r/20220316041612.71357-1-jiangshanlai@gmail.com +Acked-by: Takashi Iwai + +--- + arch/x86/entry/entry_64.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S +index 4faac48ebec5..f7bd8001bf07 100644 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -505,6 +505,7 @@ SYM_CODE_START(\asmsym) + call vc_switch_off_ist + movq %rax, %rsp /* Switch to new stack */ + ++ ENCODE_FRAME_POINTER + UNWIND_HINT_REGS + + /* Update pt_regs */ +-- +2.35.3 + diff --git a/patches.suse/x86-sev-Don-t-use-cc_platform_has-for-early-SEV-SNP-.patch b/patches.suse/x86-sev-Don-t-use-cc_platform_has-for-early-SEV-SNP-.patch new file mode 100644 index 0000000..eb9f5b0 --- /dev/null +++ b/patches.suse/x86-sev-Don-t-use-cc_platform_has-for-early-SEV-SNP-.patch @@ -0,0 +1,75 @@ +From cdaa0a407f1acd3a44861e3aea6e3c7349e668f1 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Tue, 23 Aug 2022 16:55:51 -0500 +Subject: [PATCH] x86/sev: Don't use cc_platform_has() for early SEV-SNP calls +Git-commit: cdaa0a407f1acd3a44861e3aea6e3c7349e668f1 +Patch-mainline: v6.0-rc3 +References: bsc#1204970 + +When running identity-mapped and depending on the kernel configuration, +it is possible that the compiler uses jump tables when generating code +for cc_platform_has(). + +This causes a boot failure because the jump table uses un-mapped kernel +virtual addresses, not identity-mapped addresses. This has been seen +with CONFIG_RETPOLINE=n. + +Similar to sme_encrypt_kernel(), use an open-coded direct check for the +status of SNP rather than trying to eliminate the jump table. This +preserves any code optimization in cc_platform_has() that can be useful +post boot. It also limits the changes to SEV-specific files so that +future compiler features won't necessarily require possible build changes +just because they are not compatible with running identity-mapped. + + [ bp: Massage commit message. ] + +Fixes: 5e5ccff60a29 ("x86/sev: Add helper for validating pages in early enc attribute changes") +Reported-by: Sean Christopherson +Suggested-by: Sean Christopherson +Signed-off-by: Tom Lendacky +Signed-off-by: Borislav Petkov +Cc: # 5.19.x +Link: https://lore.kernel.org/all/YqfabnTRxFSM+LoX@google.com/ +Acked-by: Takashi Iwai + +--- + arch/x86/kernel/sev.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c +index 63dc626627a0..4f84c3f11af5 100644 +--- a/arch/x86/kernel/sev.c ++++ b/arch/x86/kernel/sev.c +@@ -701,7 +701,13 @@ static void __init early_set_pages_state(unsigned long paddr, unsigned int npage + void __init early_snp_set_memory_private(unsigned long vaddr, unsigned long paddr, + unsigned int npages) + { +- if (!cc_platform_has(CC_ATTR_GUEST_SEV_SNP)) ++ /* ++ * This can be invoked in early boot while running identity mapped, so ++ * use an open coded check for SNP instead of using cc_platform_has(). ++ * This eliminates worries about jump tables or checking boot_cpu_data ++ * in the cc_platform_has() function. ++ */ ++ if (!(sev_status & MSR_AMD64_SEV_SNP_ENABLED)) + return; + + /* +@@ -717,7 +723,13 @@ void __init early_snp_set_memory_private(unsigned long vaddr, unsigned long padd + void __init early_snp_set_memory_shared(unsigned long vaddr, unsigned long paddr, + unsigned int npages) + { +- if (!cc_platform_has(CC_ATTR_GUEST_SEV_SNP)) ++ /* ++ * This can be invoked in early boot while running identity mapped, so ++ * use an open coded check for SNP instead of using cc_platform_has(). ++ * This eliminates worries about jump tables or checking boot_cpu_data ++ * in the cc_platform_has() function. ++ */ ++ if (!(sev_status & MSR_AMD64_SEV_SNP_ENABLED)) + return; + + /* Invalidate the memory pages before they are marked shared in the RMP table. */ +-- +2.35.3 + diff --git a/patches.suse/x86-sev-Remove-duplicated-assignment-to-variable-inf.patch b/patches.suse/x86-sev-Remove-duplicated-assignment-to-variable-inf.patch new file mode 100644 index 0000000..58f2d6b --- /dev/null +++ b/patches.suse/x86-sev-Remove-duplicated-assignment-to-variable-inf.patch @@ -0,0 +1,56 @@ +From 0621210ab7693e6d50585ca689d95d57df617455 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Mon, 16 May 2022 19:42:15 +0100 +Subject: [PATCH] x86/sev: Remove duplicated assignment to variable info +Git-commit: 0621210ab7693e6d50585ca689d95d57df617455 +Patch-mainline: v5.19-rc1 +References: bsc#1204970 + +Variable info is being assigned the same value twice, remove the +redundant assignment. Also assign variable v in the declaration. + +Cleans up clang scan warning: + warning: Value stored to 'info' during its initialization is never read [deadcode.DeadStores] + +No code changed: + + # arch/x86/kernel/sev.o: + + text data bss dec hex filename + 19878 4487 4112 28477 6f3d sev.o.before + 19878 4487 4112 28477 6f3d sev.o.after + +Md5: bfbaa515af818615fd01fea91e7eba1b sev.o.before.asm bfbaa515af818615fd01fea91e7eba1b sev.o.after.asm + + [ bp: Running the before/after check on sev.c because sev-shared.c + gets included into it. ] + +Fixes: 597cfe48212a ("x86/boot/compressed/64: Setup a GHCB-based VC Exception handler") +Signed-off-by: Colin Ian King +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20220516184215.51841-1-colin.i.king@gmail.com +Acked-by: Takashi Iwai + +--- + arch/x86/kernel/sev-shared.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/sev-shared.c b/arch/x86/kernel/sev-shared.c +index 2b4270d5559e..b478edf43bec 100644 +--- a/arch/x86/kernel/sev-shared.c ++++ b/arch/x86/kernel/sev-shared.c +@@ -201,10 +201,7 @@ static enum es_result verify_exception_info(struct ghcb *ghcb, struct es_em_ctxt + + if (ret == 1) { + u64 info = ghcb->save.sw_exit_info_2; +- unsigned long v; +- +- info = ghcb->save.sw_exit_info_2; +- v = info & SVM_EVTINJ_VEC_MASK; ++ unsigned long v = info & SVM_EVTINJ_VEC_MASK; + + /* Check if exception information from hypervisor is sane. */ + if ((info & SVM_EVTINJ_VALID) && +-- +2.35.3 + diff --git a/patches.suse/xhci-Add-quirk-to-reset-host-back-to-default-state-a.patch b/patches.suse/xhci-Add-quirk-to-reset-host-back-to-default-state-a.patch new file mode 100644 index 0000000..5a7160f --- /dev/null +++ b/patches.suse/xhci-Add-quirk-to-reset-host-back-to-default-state-a.patch @@ -0,0 +1,85 @@ +From 34cd2db408d591bc15771cbcc90939ade0a99a21 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Mon, 24 Oct 2022 17:27:18 +0300 +Subject: [PATCH] xhci: Add quirk to reset host back to default state at shutdown +Git-commit: 34cd2db408d591bc15771cbcc90939ade0a99a21 +Patch-mainline: v6.1-rc3 +References: git-fixes + +Systems based on Alder Lake P see significant boot time delay if +boot firmware tries to control usb ports in unexpected link states. + +This is seen with self-powered usb devices that survive in U3 link +suspended state over S5. + +A more generic solution to power off ports at shutdown was attempted in +commit 83810f84ecf1 ("xhci: turn off port power in shutdown") +but it caused regression. + +Add host specific XHCI_RESET_TO_DEFAULT quirk which will reset host and +ports back to default state in shutdown. + +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20221024142720.4122053-3-mathias.nyman@intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-pci.c | 4 ++++ + drivers/usb/host/xhci.c | 10 ++++++++-- + drivers/usb/host/xhci.h | 1 + + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index 6dd3102749b7..fbbd547ba12a 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -257,6 +257,10 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + pdev->device == PCI_DEVICE_ID_INTEL_DNV_XHCI)) + xhci->quirks |= XHCI_MISSING_CAS; + ++ if (pdev->vendor == PCI_VENDOR_ID_INTEL && ++ pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI) ++ xhci->quirks |= XHCI_RESET_TO_DEFAULT; ++ + if (pdev->vendor == PCI_VENDOR_ID_INTEL && + (pdev->device == PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_2C_XHCI || + pdev->device == PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_4C_XHCI || +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 5176765c4013..79d7931c048a 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -810,9 +810,15 @@ void xhci_shutdown(struct usb_hcd *hcd) + + spin_lock_irq(&xhci->lock); + xhci_halt(xhci); +- /* Workaround for spurious wakeups at shutdown with HSW */ +- if (xhci->quirks & XHCI_SPURIOUS_WAKEUP) ++ ++ /* ++ * Workaround for spurious wakeps at shutdown with HSW, and for boot ++ * firmware delay in ADL-P PCH if port are left in U3 at shutdown ++ */ ++ if (xhci->quirks & XHCI_SPURIOUS_WAKEUP || ++ xhci->quirks & XHCI_RESET_TO_DEFAULT) + xhci_reset(xhci, XHCI_RESET_SHORT_USEC); ++ + spin_unlock_irq(&xhci->lock); + + xhci_cleanup_msix(xhci); +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index c0964fe8ac12..cc084d9505cd 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1897,6 +1897,7 @@ struct xhci_hcd { + #define XHCI_BROKEN_D3COLD BIT_ULL(41) + #define XHCI_EP_CTX_BROKEN_DCS BIT_ULL(42) + #define XHCI_SUSPEND_RESUME_CLKS BIT_ULL(43) ++#define XHCI_RESET_TO_DEFAULT BIT_ULL(44) + + unsigned int num_active_eps; + unsigned int limit_active_eps; +-- +2.35.3 + diff --git a/patches.suse/xhci-Remove-device-endpoints-from-bandwidth-list-whe.patch b/patches.suse/xhci-Remove-device-endpoints-from-bandwidth-list-whe.patch new file mode 100644 index 0000000..5203ea6 --- /dev/null +++ b/patches.suse/xhci-Remove-device-endpoints-from-bandwidth-list-whe.patch @@ -0,0 +1,75 @@ +From 5aed5b7c2430ce318a8e62f752f181e66f0d1053 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Mon, 24 Oct 2022 17:27:20 +0300 +Subject: [PATCH] xhci: Remove device endpoints from bandwidth list when freeing the device +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 5aed5b7c2430ce318a8e62f752f181e66f0d1053 +Patch-mainline: v6.1-rc3 +References: git-fixes + +Endpoints are normally deleted from the bandwidth list when they are +dropped, before the virt device is freed. + +If xHC host is dying or being removed then the endpoints aren't dropped +cleanly due to functions returning early to avoid interacting with a +non-accessible host controller. + +So check and delete endpoints that are still on the bandwidth list when +freeing the virt device. + +Solves a list_del corruption kernel crash when unbinding xhci-pci, +caused by xhci_mem_cleanup() when it later tried to delete already freed +endpoints from the bandwidth list. + +This only affects hosts that use software bandwidth checking, which +currenty is only the xHC in intel Panther Point PCH (Ivy Bridge) + +Cc: stable@vger.kernel.org +Reported-by: Marek Marczykowski-Górecki +Tested-by: Marek Marczykowski-Górecki +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20221024142720.4122053-5-mathias.nyman@intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-mem.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 9e56aa28efcd..81ca2bc1f0be 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -889,15 +889,19 @@ void xhci_free_virt_device(struct xhci_hcd *xhci, int slot_id) + if (dev->eps[i].stream_info) + xhci_free_stream_info(xhci, + dev->eps[i].stream_info); +- /* Endpoints on the TT/root port lists should have been removed +- * when usb_disable_device() was called for the device. +- * We can't drop them anyway, because the udev might have gone +- * away by this point, and we can't tell what speed it was. ++ /* ++ * Endpoints are normally deleted from the bandwidth list when ++ * endpoints are dropped, before device is freed. ++ * If host is dying or being removed then endpoints aren't ++ * dropped cleanly, so delete the endpoint from list here. ++ * Only applicable for hosts with software bandwidth checking. + */ +- if (!list_empty(&dev->eps[i].bw_endpoint_list)) +- xhci_warn(xhci, "Slot %u endpoint %u " +- "not removed from BW list!\n", +- slot_id, i); ++ ++ if (!list_empty(&dev->eps[i].bw_endpoint_list)) { ++ list_del_init(&dev->eps[i].bw_endpoint_list); ++ xhci_dbg(xhci, "Slot %u endpoint %u not removed from BW list!\n", ++ slot_id, i); ++ } + } + /* If this is a hub, free the TT(s) from the TT list */ + xhci_free_tt_info(xhci, dev, slot_id); +-- +2.35.3 + diff --git a/patches.suse/xhci-pci-Set-runtime-PM-as-default-policy-on-all-xHC.patch b/patches.suse/xhci-pci-Set-runtime-PM-as-default-policy-on-all-xHC.patch new file mode 100644 index 0000000..08d4272 --- /dev/null +++ b/patches.suse/xhci-pci-Set-runtime-PM-as-default-policy-on-all-xHC.patch @@ -0,0 +1,109 @@ +From a611bf473d1f77b70f7188b5577542cb39b4701b Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 24 Oct 2022 17:27:19 +0300 +Subject: [PATCH] xhci-pci: Set runtime PM as default policy on all xHC 1.2 or later devices +Git-commit: a611bf473d1f77b70f7188b5577542cb39b4701b +Patch-mainline: v6.1-rc3 +References: git-fixes + +For optimal power consumption of USB4 routers the XHCI PCIe endpoint +used for tunneling must be in D3. Historically this is accomplished +by a long list of PCIe IDs that correspond to these endpoints because +the xhci_hcd driver will not default to allowing runtime PM for all +devices. + +As both AMD and Intel have released new products with new XHCI controllers +this list continues to grow. In reviewing the XHCI specification v1.2 on +page 607 there is already a requirement that the PCI power management +states D3hot and D3cold must be supported. + +In the quirk list, use this to indicate that runtime PM should be allowed +on XHCI controllers. The following controllers are known to be xHC 1.2 and +dropped explicitly: +* AMD Yellow Carp +* Intel Alder Lake +* Intel Meteor Lake +* Intel Raptor Lake + +[keep PCI ID for Alder Lake PCH for recently added quirk -Mathias] + +Cc: stable@vger.kernel.org +Suggested-by: Mathias Nyman +Link: https://www.intel.com/content/dam/www/public/us/en/documents/technical-specifications/extensible-host-controler-interface-usb-xhci.pdf +Signed-off-by: Mario Limonciello +Reviewed-by: Mika Westerberg +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20221024142720.4122053-4-mathias.nyman@intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-pci.c | 32 ++++---------------------------- + 1 file changed, 4 insertions(+), 28 deletions(-) + +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index fbbd547ba12a..7bccbe50bab1 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -58,25 +58,13 @@ + #define PCI_DEVICE_ID_INTEL_CML_XHCI 0xa3af + #define PCI_DEVICE_ID_INTEL_TIGER_LAKE_XHCI 0x9a13 + #define PCI_DEVICE_ID_INTEL_MAPLE_RIDGE_XHCI 0x1138 +-#define PCI_DEVICE_ID_INTEL_ALDER_LAKE_XHCI 0x461e +-#define PCI_DEVICE_ID_INTEL_ALDER_LAKE_N_XHCI 0x464e +-#define PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI 0x51ed +-#define PCI_DEVICE_ID_INTEL_RAPTOR_LAKE_XHCI 0xa71e +-#define PCI_DEVICE_ID_INTEL_METEOR_LAKE_XHCI 0x7ec0 ++#define PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI 0x51ed + + #define PCI_DEVICE_ID_AMD_RENOIR_XHCI 0x1639 + #define PCI_DEVICE_ID_AMD_PROMONTORYA_4 0x43b9 + #define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba + #define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb + #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc +-#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_1 0x161a +-#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_2 0x161b +-#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_3 0x161d +-#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_4 0x161e +-#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_5 0x15d6 +-#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_6 0x15d7 +-#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_7 0x161c +-#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_8 0x161f + + #define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042 + #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142 +@@ -272,12 +260,7 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + pdev->device == PCI_DEVICE_ID_INTEL_TITAN_RIDGE_DD_XHCI || + pdev->device == PCI_DEVICE_ID_INTEL_ICE_LAKE_XHCI || + pdev->device == PCI_DEVICE_ID_INTEL_TIGER_LAKE_XHCI || +- pdev->device == PCI_DEVICE_ID_INTEL_MAPLE_RIDGE_XHCI || +- pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_XHCI || +- pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_N_XHCI || +- pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI || +- pdev->device == PCI_DEVICE_ID_INTEL_RAPTOR_LAKE_XHCI || +- pdev->device == PCI_DEVICE_ID_INTEL_METEOR_LAKE_XHCI)) ++ pdev->device == PCI_DEVICE_ID_INTEL_MAPLE_RIDGE_XHCI)) + xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW; + + if (pdev->vendor == PCI_VENDOR_ID_ETRON && +@@ -346,15 +329,8 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_4)) + xhci->quirks |= XHCI_NO_SOFT_RETRY; + +- if (pdev->vendor == PCI_VENDOR_ID_AMD && +- (pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_1 || +- pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_2 || +- pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_3 || +- pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_4 || +- pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_5 || +- pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_6 || +- pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_7 || +- pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_8)) ++ /* xHC spec requires PCI devices to support D3hot and D3cold */ ++ if (xhci->hci_version >= 0x120) + xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW; + + if (xhci->quirks & XHCI_RESET_ON_RESUME) +-- +2.35.3 + diff --git a/series.conf b/series.conf index 272726c..28ecb84 100644 --- a/series.conf +++ b/series.conf @@ -12404,6 +12404,8 @@ patches.suse/x86-boot-Put-globals-that-are-accessed-early-into-the-.data-sect patches.suse/x86-sev-Add-missing-__init-annotations-to-SEV-init-routines patches.suse/x86-sev-Get-the-AP-jump-table-address-from-secrets-page + patches.suse/x86-sev-Remove-duplicated-assignment-to-variable-inf.patch + patches.suse/x86-sev-Annotate-stack-change-in-the-VC-handler.patch patches.suse/ACPICA-Avoid-cache-flush-inside-virtual-machines.patch patches.suse/x86-mm-simplify-reserve_brk.patch patches.suse/x86-entry-remove-skip_r11rcx.patch @@ -13110,6 +13112,7 @@ patches.suse/tty-Fix-a-possible-resource-leak-in-icom_probe.patch patches.suse/tty-serial-owl-Fix-missing-clk_disable_unprepare-in-.patch patches.suse/tty-n_tty-Restore-EOF-push-handling-behavior.patch + patches.suse/serial-core-move-RS485-configuration-tasks-from-driv.patch patches.suse/serial-atmel-remove-redundant-assignment-in-rs485_co.patch patches.suse/serial-8250_aspeed_vuart-Fix-potential-NULL-derefere.patch patches.suse/tty-serial-fsl_lpuart-fix-potential-bug-when-using-b.patch @@ -13603,6 +13606,8 @@ patches.suse/powerpc-powernv-delay-rng-platform-device-creation-u.patch patches.suse/i2c-piix4-Fix-a-memory-leak-in-the-EFCH-MMIO-support.patch patches.suse/i2c-cadence-Unregister-the-clk-notifier-in-error-pat.patch + patches.suse/x86-compressed-64-Add-identity-mappings-for-setup_da.patch + patches.suse/x86-boot-Fix-the-setup-data-types-max-limit.patch patches.suse/misc-rtsx_usb-fix-use-of-dma-mapped-buffer-for-usb-b.patch patches.suse/misc-rtsx_usb-use-separate-command-and-response-buff.patch patches.suse/misc-rtsx_usb-set-return-value-in-rsp_buf-alloc-err-.patch @@ -14778,6 +14783,9 @@ patches.suse/s390-fix-double-free-of-GS-and-RI-CBs-on-fork-failure patches.suse/s390-mm-do-not-trigger-write-fault-when-vma-does-not-allow-VM_WRITE patches.suse/ACPI-processor-Remove-freq-Qos-request-for-all-CPUs.patch + patches.suse/thermal-int340x_thermal-handle-data_vault-when-the-v.patch + patches.suse/x86-boot-Don-t-propagate-uninitialized-boot_params-c.patch + patches.suse/x86-sev-Don-t-use-cc_platform_has-for-early-SEV-SNP-.patch patches.suse/btrfs-fix-space-cache-corruption-and-potential-doubl.patch patches.suse/asm-generic-sections-refactor-memory_intersects.patch patches.suse/HID-steam-Prevent-NULL-pointer-dereference-in-steam_.patch @@ -14927,6 +14935,7 @@ patches.suse/RDMA-cma-Fix-arguments-order-in-net-device-validatio.patch patches.suse/RDMA-srp-Set-scmnd-result-only-when-scmnd-is-not-NUL.patch patches.suse/RDMA-siw-Pass-a-pointer-to-virt_to_page.patch + patches.suse/IB-core-Fix-a-nested-dead-lock-as-part-of-ODP-flow.patch patches.suse/RDMA-irdma-Report-the-correct-max-cqes-from-query-de.patch patches.suse/RDMA-irdma-Return-error-on-MR-deregister-CQP-failure.patch patches.suse/RDMA-irdma-Return-correct-WC-error-for-bind-operatio.patch @@ -14990,6 +14999,7 @@ patches.suse/dmaengine-ti-k3-udma-private-Fix-refcount-leak-bug-i.patch patches.suse/gpio-mockup-fix-NULL-pointer-dereference-when-removi.patch patches.suse/gpiolib-cdev-Set-lineevent_state-irq-after-IRQ-regis.patch + patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch patches.suse/net-phy-aquantia-wait-for-the-suspend-resume-operati.patch patches.suse/net-ieee802154-fix-uninit-value-bug-in-dgram_sendmsg.patch patches.suse/msft-hv-2644-net-mana-Add-rmb-after-checking-owner-bits.patch @@ -15037,6 +15047,7 @@ patches.suse/i2c-mlxbf-incorrect-base-address-passed-during-io-wr.patch patches.suse/i2c-mlxbf-prevent-stack-overflow-in-mlxbf_i2c_smbus_.patch patches.suse/i2c-mlxbf-Fix-frequency-calculation.patch + patches.suse/ACPI-processor-idle-Practically-limit-Dummy-wait-wor.patch patches.suse/ASoC-imx-card-Fix-refcount-issue-with-of_node_put.patch patches.suse/ASoC-tas2770-Reinit-regcache-on-reset.patch patches.suse/ARM-dts-am33xx-Fix-MMCHS0-dma-properties.patch @@ -15103,6 +15114,7 @@ patches.suse/wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch patches.suse/wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch patches.suse/wifi-rtw88-add-missing-destroy_workqueue-on-error-pa.patch + patches.suse/ice-Allow-operation-with-reduced-device-MSI-X.patch patches.suse/can-rx-offload-can_rx_offload_init_queue-fix-typo.patch patches.suse/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch patches.suse/wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch @@ -15279,6 +15291,10 @@ patches.suse/fs-fix-UAF-GPF-bug-in-nilfs_mdt_destroy.patch patches.suse/sbitmap-fix-possible-io-hung-due-to-lost-wakeup.patch patches.suse/sbitmap-Avoid-leaving-waitqueue-in-invalid-state-in-.patch + patches.suse/nvmet-expose-max-queues-to-configfs.patch + patches.suse/nvme-tcp-handle-number-of-queue-changes.patch + patches.suse/nvme-rdma-handle-number-of-queue-changes.patch + patches.suse/nvme-consider-also-host_iface-when-checking-ip-options.patch patches.suse/nvme-restrict-management-ioctls-to-admin.patch patches.suse/nvme-ensure-subsystem-reset-is-single-threaded.patch patches.suse/ata-libahci_platform-Sanity-check-the-DT-child-nodes.patch @@ -15413,6 +15429,7 @@ patches.suse/dyndbg-fix-static_branch-manipulation.patch patches.suse/dyndbg-fix-module.dyndbg-handling.patch patches.suse/dyndbg-let-query-modname-override-actual-module-name.patch + patches.suse/kernfs-fix-use-after-free-in-__kernfs_remove.patch patches.suse/misc-ocxl-fix-possible-refcount-leak-in-afu_ioctl.patch patches.suse/virt-vbox-convert-to-use-dev_groups.patch patches.suse/misc-pci_endpoint_test-Aggregate-params-checking-for.patch @@ -15540,6 +15557,7 @@ patches.suse/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thre.patch patches.suse/xen-gntdev-Prevent-leaking-grants.patch patches.suse/drm-i915-gvt-fix-a-memory-leak-in-intel_gvt_init_vgp.patch + patches.suse/watchdog-wdat_wdt-fix-min-max-timer-value.patch patches.suse/watchdog-hpwdt-Include-nmi.h-only-if-CONFIG_HPWDT_NM.patch patches.suse/watchdog-ftwdt010_wdt-fix-test-for-platform_get_irq-.patch patches.suse/watchdog-armada_37xx_wdt-Fix-.set_timeout-callback.patch @@ -15620,6 +15638,7 @@ patches.suse/media-v4l2-dv-timings-add-sanity-checks-for-blanking.patch patches.suse/media-videodev2.h-V4L2_DV_BT_BLANKING_HEIGHT-should-.patch patches.suse/media-vivid-set-num_in-outputs-to-0-if-not-supported.patch + patches.suse/fs-binfmt_elf-Fix-memory-leak-in-load_elf_binary.patch patches.suse/mac802154-Fix-LQI-recording.patch patches.suse/can-mscan-mpc5xxx-mpc5xxx_can_probe-add-missing-put_.patch patches.suse/can-mcp251x-mcp251x_can_probe-add-missing-unregister.patch @@ -15657,6 +15676,10 @@ patches.suse/scsi-qla2xxx-Use-transport-defined-speed-mask-for-su.patch patches.suse/scsi-lpfc-Fix-spelling-mistake-unsolicted-unsolicite.patch patches.suse/usb-bdc-change-state-when-port-disconnected.patch + patches.suse/usb-xhci-add-XHCI_SPURIOUS_SUCCESS-to-ASM1042-despit.patch + patches.suse/xhci-Add-quirk-to-reset-host-back-to-default-state-a.patch + patches.suse/xhci-pci-Set-runtime-PM-as-default-policy-on-all-xHC.patch + patches.suse/xhci-Remove-device-endpoints-from-bandwidth-list-whe.patch patches.suse/usb-dwc3-gadget-Stop-processing-more-requests-on-IMI.patch patches.suse/usb-dwc3-gadget-Don-t-set-IMI-for-no_interrupt.patch patches.suse/iio-light-tsl2583-Fix-module-unloading.patch @@ -15665,7 +15688,36 @@ patches.suse/iio-adxl372-Fix-unsafe-buffer-attributes.patch patches.suse/iio-bmc150-accel-core-Fix-unsafe-buffer-attributes.patch patches.suse/fbdev-da8xx-fb-Fix-error-handling-in-.remove.patch + patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch patches.suse/fbdev-cyber2000fb-fix-missing-pci_disable_device.patch + patches.suse/nfc-fdp-Fix-potential-memory-leak-in-fdp_nci_send.patch + patches.suse/nfc-nxp-nci-Fix-potential-memory-leak-in-nxp_nci_sen.patch + patches.suse/nfc-s3fwrn5-Fix-potential-memory-leak-in-s3fwrn5_nci.patch + patches.suse/nfc-nfcmrvl-Fix-potential-memory-leak-in-nfcmrvl_i2c.patch + patches.suse/rose-Fix-NULL-pointer-dereference-in-rose_send_frame.patch + patches.suse/mISDN-fix-possible-memory-leak-in-mISDN_register_dev.patch + patches.suse/isdn-mISDN-netjet-fix-wrong-check-of-device-registra.patch + patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch + patches.suse/Bluetooth-virtio_bt-Use-skb_put-to-set-length.patch + patches.suse/Bluetooth-L2CAP-fix-use-after-free-in-l2cap_conn_del.patch + patches.suse/Bluetooth-L2CAP-Fix-memory-leak-in-vhci_write.patch + patches.suse/vsock-remove-the-unused-wait-in-vsock_connectible_re.patch + patches.suse/vsock-fix-possible-infinite-sleep-in-vsock_connectib.patch + patches.suse/selftests-pidfd_test-Remove-the-erroneous.patch + patches.suse/ata-pata_legacy-fix-pdc20230_set_piomode.patch + patches.suse/ARM-dts-imx6qdl-gw59-10-13-fix-user-pushbutton-GPIO-.patch + patches.suse/arm64-dts-imx8-correct-clock-order.patch + patches.suse/dt-bindings-power-gpcv2-add-power-domains-property.patch + patches.suse/arm64-dts-lx2160a-specify-clock-frequencies-for-the-.patch + patches.suse/arm64-dts-ls1088a-specify-clock-frequencies-for-the-.patch + patches.suse/arm64-dts-ls208xa-specify-clock-frequencies-for-the-.patch + patches.suse/firmware-arm_scmi-Suppress-the-driver-s-bind-attribu.patch + patches.suse/firmware-arm_scmi-Make-Rx-chan_setup-fail-on-memory-.patch + patches.suse/arm64-dts-juno-Add-thermal-critical-trip-points.patch + patches.suse/efi-tpm-Pass-correct-address-to-memblock_reserve.patch + patches.suse/i2c-piix4-Fix-adapter-not-be-removed-in-piix4_remove.patch + patches.suse/Documentation-devres-add-missing-I2C-helper.patch + patches.suse/arm64-entry-avoid-kprobe-recursion.patch # mkp/scsi queue patches.suse/scsi-lpfc-Set-sli4_param-s-cmf-option-to-zero-when-C.patch @@ -15702,25 +15754,10 @@ patches.suse/arm64-Implement-HAVE_PREEMPT_DYNAMIC.patch patches.suse/static_call-Fix-tools_headers.patch patches.suse/sched-preempt-Tell-about-PREEMPT_DYNAMIC-on-kernel-h.patch - patches.suse/nvme-consider-also-host_iface-when-checking-ip-options.patch - patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch - - patches.suse/nvmet-expose-max-queues-to-configfs.patch - patches.suse/nvme-tcp-handle-number-of-queue-changes.patch - patches.suse/nvme-rdma-handle-number-of-queue-changes.patch - - patches.suse/watchdog-wdat_wdt-fix-min-max-timer-value.patch - - patches.suse/ice-Allow-operation-with-reduced-device-MSI-X.patch patches.suse/media-dvb-core-Fix-UAF-due-to-refcount-races-at-rele.patch - patches.suse/scsi-core-Add-BLIST_NO_ASK_VPD_SIZE-for-some-VDASD.patch - patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch patches.suse/char-pcmcia-synclink_cs-Fix-use-after-free-in-mgslpc.patch patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch - - patches.suse/Bluetooth-L2CAP-Fix-memory-leak-in-vhci_write.patch - patches.suse/Bluetooth-L2CAP-fix-use-after-free-in-l2cap_conn_del.patch patches.suse/wifi-brcmfmac-Fix-potential-buffer-overflow-in-brcmf.patch patches.suse/ring-buffer-Check-for-NULL-cpu_buffer-in-ring_buffer.patch @@ -15982,9 +16019,6 @@ ######################################################## patches.suse/ACPI-acpi_pad-Do-not-launch-acpi_pad-threads-on-idle-cpus.patch patches.suse/thermal-Add-a-sanity-check-for-invalid-state-at-stat.patch - # Bug 1201308 - Partner-L3: HP Z2 G8 Workstation: supportconfig reboots on systool command - patches.suse/thermal-int340x_thermal-handle-data_vault-when-the-v.patch - patches.suse/ACPI-processor-idle-Practically-limit-Dummy-wait-wor.patch ######################################################## # DRM / Graphics